// Create an SSID Profile (A_RAK_Master) ^[mynode] (config) #wlan ssid-profile MAC-PSK-SSID (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #essid A-RAK_MAC-PSK (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #wpa-passphrase Savetheturtles (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #opmode wpa2-psk-aes (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #exit // Create a mac authentication profile. In my case i enter the mac as aa:bb:cc:dd:ee:ff (A_RAK_Master) ^[mynode] (config) #aaa authentication mac MAC-PSK-AUTH (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #delimiter colon (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #case lower (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #exit // Create the ACL for Initial Role (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-INITIAL_ACL (A_RAK_Master) ^[mynode] (config-submode)#any any any deny (A_RAK_Master) ^[mynode] (config-submode)#exit // Map the ACL to the Initial Role (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-INITIAL (A_RAK_Master) ^[mynode] (config-submode)# access-list session MAC-PSK-INITIAL_ACL (A_RAK_Master) ^[mynode] (config-submode)#exit // Create the ACL for Default Role (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-DEFAULT_ACL (A_RAK_Master) ^[mynode] (config-submode)#any any any permit (A_RAK_Master) ^[mynode] (config-submode)#exit // Map the ACL to the Default Role (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-DEFAULT (A_RAK_Master) ^[mynode] (config-submode)#access-list session MAC-PSK-DEFAULT_ACL (A_RAK_Master) ^[mynode] (config-submode)#exit // If using internal database on the controller to authenticate // Create AAA the Server Group to point to the internal database (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-SERVER-GROUP (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #auth-server internal (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #exit // If using clearpass/any external server capable of mac authentication // Create the aAA Authentication server for clearpass (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #aaa authentication-server radius CLEARPASS (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #host 192.115.23.45 (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #key savetheturtles (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #exit // Create the Server Group to point to CLEARPASS (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-CLEARPASS (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #auth-server CLEARPASS (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #exit // Create the AAA Profile and map neccessary profiles (A_RAK_Master) ^[mynode] (config) #aaa profile MAC-PSK-AAA (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #initial-role MAC-PSK-INITIAL (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-default-role MAC-PSK-DEFAULT (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-server-group MAC-PSK-SERVER-GROUP (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-mac MAC-PSK-AUTH (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-dot1x default (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #exit // Create the Virtual AP Profile and map the AAA ,SSID profiles and assign a VLAN (A_RAK_Master) ^[mynode] (config) #wlan virtual-ap MAC-PSK (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #aaa-profile MAC-PSK-AAA (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #ssid-profile MAC-PSK-SSID (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #vlan 5,1,8 // to map multiple vlans use the comma (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #exit // Create an AP Group and map the Virtual AP Profile (A_RAK_Master) ^[mynode] (config) #ap-group MAC-PSK (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #virtual-ap MAC-PSK // Save the Configuration (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #write mem