bld-wc5760-c1a#sh run
Building configuration...

Current configuration : 24367 bytes
!
! Last configuration change at 21:23:42 UTC Mon Feb 2 2015 by ss4897
! NVRAM config last updated at 21:16:25 UTC Mon Feb 2 2015 by ss4897
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
no service dhcp
!
hostname bld-wc5760-c1a
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 1024000 notifications

!
username test privilege 15 password 7 1403171818

aaa new-model
!
!
aaa group server radius BLUEWIRELESS-RADIUS
 server name WLAN-BLUE-RADIUS-1
!
aaa group server radius BlueClearPass-RADIUS
 server name Clearpass1
 server name Clearpass2
 subscriber mac-filtering security-mode mac
!
aaa authentication attempts login 5
aaa authentication fail-message ^CFailed login. Five consecutive fails will revoke.^C
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x IBM-DOT1X-AUTH group BLUEWIRELESS-RADIUS
aaa authentication dot1x Clearpass-AUTH group BlueClearPass-RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ none
aaa authorization network NET-AUTH group BlueClearPass-RADIUS
aaa authorization credential-download default group radius group BlueClearPass-RADIUS
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
no aaa accounting system guarantee-first
!
!
!
!
!
!
aaa session-id common
switch 1 provision air-ct5760-6
switch 2 provision air-ct5760-6
!
!
!
!
!
no ip source-route
!
no ip domain-lookup
ip domain-name ibm.com
ip name-server 9.0.2.1
ip name-server 9.0.4.11
ip dhcp snooping vlan 2101-2500
no ip dhcp snooping information option
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp snooping
!
!
vtp domain bld
vtp mode transparent
access-session mac-move deny
!
flow monitor wireless-avc-basic
 record wireless avc basic
!
!
crypto pki trustpoint TP-self-signed-3946280018
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3946280018
 revocation-check none
 rsakeypair TP-self-signed-3946280018
!
!
crypto pki certificate chain TP-self-signed-3946280018
 certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393436 32383030 3138301E 170D3130 30333034 31353134
  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39343632
  38303031 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100991E 43D24C60 6457BEDF 83FC8C6C 0EF40C83 14B770DB 56C27C83 A1016CD0
  531DC128 2DFDD8A7 7813B010 7DA6B2CE 6D488CCE 42B87BD9 A5FDC0BB 30360477
  3186CBDC 8B9B7AFA 3110BB1B E54601BE 71EBC0BA C85E5DC2 380EBC88 35E1A5F7
  6E50B293 37A7DF5C B9E0B835 B6D44639 698C58BE 00A2F058 B55F5E3B 03D6A723
  EF3B0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A436F6E 74726F6C 6C657230 1F060355 1D230418 30168014
  500C9917 5A693167 D344C995 74E1E5EC 67519EBD 301D0603 551D0E04 16041450
  0C99175A 693167D3 44C99574 E1E5EC67 519EBD30 0D06092A 864886F7 0D010104
  05000381 81003BB0 DF763BA9 B820003B 04CFADDB 18FDF8BC FA65DC86 14307EAD
  49948891 95B79A32 9F36E961 9FF54DEF 841B4358 913FB470 18A5CF16 7407C6CA
  8E9FCAEB CD6BBCDE BE726FCB 8627011F 76B904A8 66EE8D50 550A285F C6AD5C73
  E755CD6F CED70D98 473FDF2C 9DD8A323 78B75499 20A61DED A6DE195C 6CF810D8
  E62BC279 41F1
        quit
dot1x system-auth-control
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery cause loopback
errdisable recovery interval 180
diagnostic bootup level minimal
service-template webauth-global-inactive
 inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1901-4070 priority 16384
spanning-tree vlan 1901-4070 forward-time 6
spanning-tree vlan 1901-4070 max-age 8
hw-switch switch 1 logging onboard message level 3
hw-switch switch 2 logging onboard message level 3
!
redundancy
 mode sso
!
!
parameter-map type webauth global
 type webauth
 virtual-ip ipv4 158.87.126.41
 redirect for-login https://158.87.126.41/guest/cisco.php
 redirect on-failure https://158.87.126.41/guest/cisco.php
!
vlan group COC-BLD5760-IOS-B1 vlan-list 2101-2102
vlan group COC-BLD5760-IOS-Y1 vlan-list 2201-2202
vlan group COC-BLD5760-IOS-Y2 vlan-list 2241-2242
!
vlan 2101
 name blue-wireless
!
vlan 2102
 name blue-wireless1
!
vlan 2201
 name Ylow-pub-wireless
!
vlan 2202
 name Ylow-pub-wireless1
!
vlan 2241
 name Ylow-Mob-wireless
!
vlan 2242
 name Ylow-Mob-wireless1
!
vlan 4022
 name vWD6a-WLC/blue-wlc/transport
!
vlan 4094
 name vWD6a/Null
lldp run
cdp timer 10
cdp holdtime 30
!
ip tcp path-mtu-discovery
ip ftp source-interface Vlan4022
ip tftp source-interface Vlan4022
ip ssh version 2
ip ssh dscp 18
!
class-map match-any cm_dscp_capwap_class3
 match ip dscp af21  af41  ef
class-map match-any AutoQos-4.0-RT1-Class
 match dscp ef
 match dscp cs6
class-map match-any cm_dscp_capwap_class2
 match ip dscp af31  cs6
class-map match-any AutoQos-4.0-RT2-Class
 match dscp cs4
 match dscp cs3
 match dscp af41
class-map match-any AutoQos-4.0-wlan-Voip-Signal-Class
 match dscp cs3
 match access-group name AutoQos-4.0-wlan-Acl-Signaling
class-map match-any AutoQos-4.0-wlan-Voip-Data-Class
 match dscp ef
class-map match-any AutoQos-4.0-wlan-Multimedia-Conf-Class
 match access-group name AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
class-map match-any AutoQos-4.0-wlan-Bulk-Data-Class
 match access-group name AutoQos-4.0-wlan-Acl-Bulk-Data
class-map match-any cm_dscp_att_ncp
 match ip dscp cs6  cs7
class-map match-any AutoQos-4.0-wlan-Scavanger-Class
 match access-group name AutoQos-4.0-wlan-Acl-Scavanger
class-map match-any AutoQos-4.0-wlan-Transaction-Class
 match access-group name AutoQos-4.0-wlan-Acl-Transactional-Data
class-map match-any non-client-nrt-class
class-map match-any cm_dscp_att_class2
 match ip dscp af31  af32
class-map match-any cm_dscp_att_class3
 match ip dscp af21  af22
class-map match-any cm_dscp_att_class1
 match ip dscp ef
!
!
policy-map pm_default_class
 class class-default
  set cos 0
  set dscp default
policy-map AutoQos-4.0-wlan-ET-Client-Input-Policy
 class AutoQos-4.0-wlan-Voip-Data-Class
  set dscp ef
 class AutoQos-4.0-wlan-Voip-Signal-Class
  set dscp cs3
 class AutoQos-4.0-wlan-Multimedia-Conf-Class
  set dscp af41
 class AutoQos-4.0-wlan-Transaction-Class
  set dscp af21
 class AutoQos-4.0-wlan-Bulk-Data-Class
  set dscp af11
 class AutoQos-4.0-wlan-Scavanger-Class
  set dscp cs1
 class class-default
  set dscp default
policy-map AutoQos-4.0-wlan-GT-SSID-Output-Policy
 class class-default
  shape average percent 100
  queue-buffers ratio 0
  set dscp default
policy-map AutoQos-4.0-wlan-GT-SSID-Input-Policy
 class class-default
  set dscp default
policy-map AutoQos-4.0-wlan-ET-SSID-Child-Policy
 class AutoQos-4.0-RT1-Class
  police cir percent 10
  priority level 1
 class AutoQos-4.0-RT2-Class
  police cir percent 20
  priority level 2
 class class-default
policy-map pm_att_queuing
 class cm_dscp_att_class1
  priority
 class cm_dscp_att_ncp
  bandwidth remaining percent 5
 class cm_dscp_att_class2
  bandwidth remaining percent 25
 class cm_dscp_att_class3
  bandwidth remaining percent 25
 class class-default
  bandwidth remaining percent 25
policy-map AutoQos-4.0-wlan-ET-SSID-Output-Policy
 class class-default
  shape average percent 100
  queue-buffers ratio 0
   service-policy AutoQos-4.0-wlan-ET-SSID-Child-Policy
policy-map pm_reclassify_dscp_capwap
 class cm_dscp_capwap_class2
  set cos 3
  set dscp af31
 class cm_dscp_capwap_class3
  set cos 2
  set dscp af21
 class class-default
  set cos 0
  set dscp default
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description bld/WLC1- vWD6a/trunk/bld-wc-c1a/5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 load-interval 60
 ip dhcp snooping trust
!
interface Port-channel2
 description bld/WLC2- vWD6a/trunk/bld-wc-c1a/5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 load-interval 60
 ip dhcp snooping trust
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address 9.0.37.43 255.255.252.0
 negotiation auto
!
interface TenGigabitEthernet1/0/1
 description bld/WLC1.1- vWD6a/trunk/sms-wc-c1a/5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 logging event bundle-status
 load-interval 60
 udld port disable
 channel-group 1 mode active
 service-policy input pm_reclassify_dscp_capwap
 service-policy output pm_att_queuing
 ip dhcp snooping trust
!
interface TenGigabitEthernet1/0/2
 description bld/WLC1.2- vWD6b/trunk/sms-wc-c1a</5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 logging event bundle-status
 load-interval 60
 udld port disable
 channel-group 1 mode active
 service-policy input pm_reclassify_dscp_capwap
 service-policy output pm_att_queuing
 ip dhcp snooping trust
!
interface TenGigabitEthernet1/0/3
 shutdown
!
interface TenGigabitEthernet1/0/4
 shutdown
!
interface TenGigabitEthernet1/0/5
 shutdown
!
interface TenGigabitEthernet1/0/6
 shutdown
!
interface TenGigabitEthernet2/0/1
 description bld/WLC2.1- vWD6b/trunk/sms-wc-c1b/5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 logging event bundle-status
 load-interval 60
 udld port disable
 channel-group 2 mode active
 service-policy input pm_reclassify_dscp_capwap
 service-policy output pm_att_queuing
 ip dhcp snooping trust
!
interface TenGigabitEthernet2/0/2
 description bld/WLC2.2- vWD6b/trunk/sms-wc-c1b/5760 Controller
 switchport trunk allowed vlan 2101-2500,4022,4030
 switchport mode trunk
 ip dhcp relay information trusted
 logging event bundle-status
 load-interval 60
 udld port disable
 channel-group 2 mode active
 service-policy input pm_reclassify_dscp_capwap
 service-policy output pm_att_queuing
 ip dhcp snooping trust
!
interface TenGigabitEthernet2/0/3
 shutdown
!
interface TenGigabitEthernet2/0/4
 shutdown
!
interface TenGigabitEthernet2/0/5
 shutdown
!
interface TenGigabitEthernet2/0/6
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2201
 ip address 9.85.1.9 255.255.255.192
!
interface Vlan2202
 ip address 9.85.1.73 255.255.255.192
!
interface Vlan2241
 ip address 9.85.1.137 255.255.255.192
!
interface Vlan2242
 ip address 9.85.1.201 255.255.255.192
!
interface Vlan4022
 ip address 9.16.127.43 255.255.255.224
 load-interval 60
 arp timeout 420
!
ip default-gateway 9.16.127.33
ip forward-protocol nd
ip http server
ip http banner
ip http authentication local
ip http secure-server
ip http active-session-modules none
ip tacacs source-interface Vlan4022
!
ip access-list standard al_vty_access_aspr
 remark /**********************************************
 
!
ip access-list extended ACL-REDIRECT
 deny   ip any host 9.16.21.11
 deny   ip any host 9.16.21.12
 permit tcp any any
 deny   udp any any eq domain
 permit udp any any eq bootpc
 permit udp any eq bootpc any
 permit udp any eq domain any log
 permit udp any any log

ip access-list extended Clearpass-access
 permit udp any any eq domain
 permit udp any eq domain any
 permit tcp any eq domain any
 permit tcp any any eq domain
 permit ip 158.87.126.32 0.0.0.31 any
 permit ip any 158.87.126.32 0.0.0.31
 permit icmp any any
 deny   ip any any log
ip access-list extended GUEST
 permit udp any host 9.16.21.11 eq domain
 permit tcp any host 9.16.21.11 eq 443
 permit udp any host 9.16.21.12 eq domain
 permit tcp any host 9.16.21.12 eq 443
 deny   ip any 9.16.21.0 0.0.0.31
 permit ip any any
!
logging history notifications
logging trap notifications
logging source-interface Vlan4022
logging host 9.0.3.41
logging host 135.89.176.119
logging host 135.89.45.119

snmp ifmib ifindex persist
tacacs server primary
 address ipv4 9.0.4.33
 key 7 14341D28075733
 timeout 6
tacacs server secondary
 address ipv4 9.0.2.33
 key 7 02250B78005516
 timeout 6
!
radius server WLAN-BLUE-RADIUS-1
 address ipv4 9.17.28.12 auth-port 1812 acct-port 1813
 key 7 105C594916031719
!
radius server Clearpass1
 address ipv4 9.16.21.11 auth-port 1812 acct-port 1813
 key 7 105C594916031719
!
radius server Clearpass2
 address ipv4 9.16.21.12 auth-port 1812 acct-port 1813
 key 7 0214540B18120A33
!
!
banner exec ^C *** Cisco AIR-CT5760 / 14.1.0 / wlc-5760.txt *** ^C
banner login ^C
***********************************************************************
*  GTAC                                                               *
***********************************************************************
*  Warning Notice:                                                    *
*    This system is restricted solely to AT&T authorized users for    *
*    legitimate business purposes only. The actual or attempted       *
*    unauthorized access, use, or modification of this system is      *
*    strictly prohibited by AT&T. Unauthorized users are subject to   *
*    Company disciplinary proceedings and/or criminal and civil       *
*    penalties under state, federal, or other applicable domestic and *
*    foreign laws. The use of this system may be monitored and        *
*    recorded for administrative and security reasons. Anyone         *
*    accessing this system expressly consents to such monitoring and  *
*    is advised that if monitoring reveals possible evidence of       *
*    criminal activity, AT&T may provide the evidence of such         *
*    activity to law enforcement officials. All users must comply     *
*    with AT&T company policies regarding the protection of AT&T      *
*    information assets.                                              *
***********************************************************************
^C
!
line con 0
 session-timeout 15
 exec-timeout 15 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 15
 access-class al_vty_access_aspr in
 exec-timeout 15 0
 logging synchronous
 length 0
 transport input ssh
line vty 5 15
 session-timeout 15
 access-class al_vty_access_aspr in
 exec-timeout 15 0
 logging synchronous
 transport input ssh
!

wsma agent exec
 profile httplistener
 profile httpslistener
!
wsma agent config
 profile httplistener
 profile httpslistener
!
wsma agent filesys
 profile httplistener
 profile httpslistener
!
wsma agent notify
 profile httplistener
 profile httpslistener
!
!
wsma profile listener httplistener
 transport http
!
wsma profile listener httpslistener
 transport https
mac address-table move update transmit
!
wireless mobility group name AMER_US_SMS
wireless management interface Vlan4022
wireless client fast-ssid-change
wireless rf-network AMER_US_SMS
wlan IBM-WPA2 20 IBM-BLD5760
 band-select
 client vlan default-non-usable
 security dot1x authentication-list IBM-DOT1X-AUTH
 session-timeout 43200
 shutdown
wlan IBM7MOB-CoC 24 IBM7MOB-CoC
 shutdown
wlan IBM7PUB-CoC 23 IBM7PUB-CoC
 band-select
 client vlan default-non-usable
 no exclusionlist
 ip access-group web ACL-REDIRECT
 ip access-group GUEST
 mac-filtering NET-AUTH
 peer-blocking drop
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security dot1x authentication-list Clearpass-AUTH
 no security ft over-the-ds
 security web-auth
 security web-auth authentication-list NET-AUTH
 security web-auth on-macfilter-failure
 security web-auth parameter-map global
 no shutdown
ap capwap priority
ap led
ap dot11 24ghz cleanair
ap dot11 24ghz beamforming
ap dot11 24ghz rate RATE_1M disable
ap dot11 24ghz rate RATE_2M disable
ap dot11 24ghz rate RATE_5_5M disable
ap dot11 24ghz rate RATE_6M supported
ap dot11 24ghz rate RATE_9M supported
ap dot11 24ghz rate RATE_12M mandatory
ap dot11 24ghz rate RATE_18M supported
ap dot11 24ghz rate RATE_24M supported
ap dot11 24ghz rate RATE_36M supported
ap dot11 24ghz rate RATE_48M supported
ap dot11 24ghz rate RATE_54M supported
ap dot11 5ghz rrm channel dca add 100
ap dot11 5ghz rrm channel dca add 104
ap dot11 5ghz rrm channel dca add 108
ap dot11 5ghz rrm channel dca add 112
ap dot11 5ghz rrm channel dca add 116
ap dot11 5ghz rrm channel dca add 132
ap dot11 5ghz rrm channel dca add 136
ap dot11 5ghz rrm channel dca add 140
ap dot11 5ghz rrm channel dca chan-width 80
ap dot11 5ghz cleanair
ap dot11 5ghz beamforming
ap dot11 5ghz rate RATE_6M disable
ap dot11 5ghz rate RATE_9M disable
ap dot11 5ghz rate RATE_12M supported
ap dot11 5ghz rate RATE_18M supported
ap dot11 5ghz rate RATE_24M mandatory
ap dot11 5ghz rate RATE_36M supported
ap dot11 5ghz rate RATE_48M supported
ap dot11 5ghz rate RATE_54M supported
ap group default-group
ap group AP-IBM
 description IBM_Data_group
 wlan IBM-WPA2
  vlan COC-BLD5760-IOS-B1
 wlan IBM7PUB-CoC
  vlan COC-BLD5760-IOS-Y1
 wlan IBM7MOB-CoC
  vlan COC-BLD5760-IOS-Y2
end