wlan virtual-ap "LAB_EMPLOYEE_VAP" aaa-profile "LAB_EMPLOYEE_AAA" ssid-profile "LAB_EMPLOYEE_SSID" forward-mode bridge band-steering no broadcast-filter arp blacklist-time 0 ! wlan virtual-ap "LAB_GUEST_VAP" aaa-profile "LAB_GUEST-AAA" ssid-profile "LAB_GUEST-SSID" forward-mode bridge band-steering no broadcast-filter arp blacklist-time 0 ! wlan virtual-ap "LAB_INTERNAL_VAP" aaa-profile "LAB_INTERNAL_AAA" ssid-profile "LAB_INTERNAL_SSID" forward-mode bridge band-steering no broadcast-filter arp blacklist-time 0 ! aaa profile "LAB_EMPLOYEE_AAA" initial-role "CLEARPASS-BYODLOGIN-ROLE" mac-default-role "CLEARPASS-LIMITEDCORP-ROLE" mac-server-group "CPPM" authentication-dot1x "LAB_CLEARPASS_EMP_CORP_dot1x" dot1x-default-role "CLEARPASS-BYOD-ROLE" dot1x-server-group "CPPM" radius-accounting "CPPM" radius-interim-accounting rfc-3576-server "10.1.254.10" ! aaa profile "LAB_GUEST-AAA" initial-role "CLEARPASS-BYODLOGIN-ROLE" mac-default-role "CLEARPASS-LIMITEDCORP-ROLE" mac-server-group "CPPM" authentication-dot1x "LAB_CLEARPASS_EMP_CORP_dot1x" dot1x-default-role "VENDOR-ROLE" dot1x-server-group "CPPM" radius-accounting "CPPM" radius-interim-accounting rfc-3576-server "10.1.254.10" ! aaa profile "LAB_INTERNAL_AAA" initial-role "CLEARPASS-BYODLOGIN-ROLE" mac-default-role "CLEARPASS-LIMITEDCORP-ROLE" mac-server-group "CPPM" authentication-dot1x "LAB_CLEARPASS_EMP_CORP_dot1x" dot1x-default-role "CLEARPASS-CORP-ROLE" dot1x-server-group "CPPM" radius-accounting "CPPM" radius-interim-accounting rfc-3576-server "10.1.254.10" ! wlan ssid-profile "LAB_EMPLOYEE_SSID" essid "LAB-EMPLOYEE" opmode wpa2-aes max-retries 20 wmm-vo-dscp "56" wmm-vi-dscp "40" wmm-be-dscp "24" wmm-bk-dscp "8" ! wlan ssid-profile "LAB_GUEST-SSID" essid "LAB-GUEST" opmode wpa2-psk-aes max-retries 20 wmm-vo-dscp "56" wmm-vi-dscp "40" wmm-be-dscp "24" wmm-bk-dscp "8" wpa-passphrase ef6ad46cee49a37d945c70874354d700bb8c5abfbc228e33 ! wlan ssid-profile "LAB_INTERNAL_SSID" essid "LAB-INTERNAL" opmode wpa2-psk-aes max-retries 20 wmm-vo-dscp "56" wmm-vi-dscp "40" wmm-be-dscp "24" wmm-bk-dscp "8" wpa-passphrase 3c9b0070564a22f0c426ce254aa6354572785b9114d6df18 ! Derived Role = 'CLEARPASS-BYODLOGIN-ROLE' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled DPI Classification: Enabled Web Content Classification: Enabled ACL Number = 86/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Captive Portal profile = CLEARPASS-BYODLOGIN-PORTAL Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-CLEARPASS-BYODLOGIN-ROLE-sacl session 3 Clearpass-BYODLOGIN-Portal session 4 Clearpass-CaptivePortalLogin session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-CLEARPASS-BYODLOGIN-ROLE-sacl ----------------------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- Clearpass-BYODLOGIN-Portal -------------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any 10.75.93.254 svc-dhcp permit Low 4 2 any CONTROLLERS udp 67 permit Low 4 3 any CONTROLLERS udp 53 permit Low 4 4 any local-nets any deny Yes Low 4 Clearpass-CaptivePortalLogin ---------------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 user any udp 68 deny Low 4 2 any any svc-dns permit Low 4 3 any any svc-dhcp permit Low 4 4 any 169.254.0.0 255.255.0.0 any deny Low 4 5 any 240.0.0.0 240.0.0.0 any deny Low 4 6 any 10.1.254.10 svc-https permit Low 4 7 any 10.1.254.10 svc-http permit Low 4 8 user localip svc-https dst-nat 8081 Low 4 9 any any svc-http dst-nat 8080 Low 4 10 any any svc-https dst-nat 8081 Low 4 11 any any svc-http-proxy1 dst-nat 8088 Low 4 12 any any svc-http-proxy2 dst-nat 8088 Low 4 13 any any svc-http-proxy3 dst-nat 8088 Low 4 Expired Policies (due to time constraints) = 0 Derived Role = 'CLEARPASS-LIMITEDCORP-ROLE' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled DPI Classification: Enabled Web Content Classification: Enabled ACL Number = 87/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-CLEARPASS-LIMITEDCORP-ROLE-sacl session 3 allowall session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-CLEARPASS-LIMITEDCORP-ROLE-sacl ------------------------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- allowall -------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any any any permit Low 4 2 any any any-v6 permit Low 6 Expired Policies (due to time constraints) = 0 Derived Role = 'CLEARPASS-BYOD-ROLE' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Assigned VLAN = 427 Periodic reauthentication: Disabled DPI Classification: Enabled Web Content Classification: Enabled ACL Number = 80/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-CLEARPASS-BYOD-ROLE-sacl session 3 VENDOR-ACL session 4 Clearpass BYOD session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-CLEARPASS-BYOD-ROLE-sacl ------------------------------ Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- VENDOR-ACL ---------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any any svc-icmp permit Low 4 2 any CONTROLLERS udp 67 permit Low 4 3 any CONTROLLERS udp 53 permit Low 4 4 any local-nets any deny Yes Low 4 5 any any any permit Low 4 Clearpass BYOD -------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any any svc-dns permit Low 4 2 any any svc-dhcp permit Low 4 3 any 10.7.3.228 svc-http permit Low 4 4 any 10.7.3.228 svc-https permit Low 4 5 any 10.0.0.0 255.0.0.0 any deny Low 4 6 any 172.16.0.0 255.240.0.0 any deny Low 4 7 any 192.168.0.0 255.255.0.0 any deny Low 4 8 any any any permit Low 4 Expired Policies (due to time constraints) = 0 Derived Role = 'VENDOR-ROLE' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled DPI Classification: Enabled Web Content Classification: Enabled ACL Number = 89/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-VENDOR-ROLE-sacl session 3 VENDOR-ACL session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-VENDOR-ROLE-sacl ---------------------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- VENDOR-ACL ---------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any any svc-icmp permit Low 4 2 any CONTROLLERS udp 67 permit Low 4 3 any CONTROLLERS udp 53 permit Low 4 4 any local-nets any deny Yes Low 4 5 any any any permit Low 4 Expired Policies (due to time constraints) = 0 Derived Role = 'CLEARPASS-CORP-ROLE' Up BW:No Limit Down BW:No Limit L2TP Pool = default-l2tp-pool PPTP Pool = default-pptp-pool Periodic reauthentication: Disabled DPI Classification: Enabled Web Content Classification: Enabled ACL Number = 83/0 Max Sessions = 65535 Check CP Profile for Accounting = TRUE Application Exception List -------------------------- Name Type ---- ---- Application BW-Contract List ---------------------------- Name Type BW Contract Id Direction ---- ---- ----------- -- --------- access-list List ---------------- Position Name Type Location -------- ---- ---- -------- 1 global-sacl session 2 apprf-CLEARPASS-CORP-ROLE-sacl session 3 allowall session global-sacl ----------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- apprf-CLEARPASS-CORP-ROLE-sacl ------------------------------ Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- allowall -------- Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract -------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ -------- 1 any any any permit Low 4 2 any any any-v6 permit Low 6 Expired Policies (due to time constraints) = 0 show auth-tracebuf Auth Trace Buffer ----------------- Aug 21 13:09:20 station-down * c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:01 - - Aug 21 13:09:21 station-up * c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - - wpa2 aes Aug 21 13:09:21 eap-id-req <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 1 5 Aug 21 13:09:21 eap-id-resp -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 1 13 gibbonr1 Aug 21 13:09:21 rad-req -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 9 216 Aug 21 13:09:21 rad-resp <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 9 88 Aug 21 13:09:21 eap-req <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 2 6 Aug 21 13:09:21 eap-resp -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 2 236 Aug 21 13:09:21 rad-req -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 10 481 Aug 21 13:09:21 rad-resp <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 10 240 Aug 21 13:09:21 eap-req <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 3 158 Aug 21 13:09:21 eap-resp -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 3 65 Aug 21 13:09:21 rad-req -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 11 310 Aug 21 13:09:21 rad-resp <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 11 125 Aug 21 13:09:21 eap-req <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 4 43 Aug 21 13:09:21 eap-resp -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 4 80 Aug 21 13:09:21 rad-req -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 12 325 Aug 21 13:09:21 rad-accept <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10/CPPM-radius 12 255 Aug 21 13:09:21 eap-success <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 4 4 Aug 21 13:09:21 assg-vlan-req * c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 1 427 new vlan: dot1x for remote user Aug 21 13:09:21 wpa2-key1 <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - 117 Aug 21 13:09:21 wpa2-key2 -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - 117 Aug 21 13:09:21 wpa2-key3 <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - 151 Aug 21 13:09:21 wpa2-key4 -> c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - 95 Aug 21 13:09:21 rem-ap-setkey <- c8:19:f7:0b:6e:24 ac:a3:1e:b3:f7:10 - 16 wpa2 aes