version 6.1 hostname "TSA00974" clock timezone 0 location "Building1.floor1" controller config 196 ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0 ip access-list eth validuserethacl permit any ! netservice svc-pcoip2-tcp tcp 4172 netservice svc-netbios-dgm udp 138 netservice svc-snmp-trap udp 162 netservice svc-citrix tcp 2598 netservice svc-syslog udp 514 netservice svc-l2tp udp 1701 netservice svc-ike udp 500 netservice svc-https tcp 443 netservice svc-smb-tcp tcp 445 netservice svc-dhcp udp 67 68 netservice svc-ica tcp 1494 netservice svc-pptp tcp 1723 netservice svc-sec-papi udp 8209 netservice svc-sccp tcp 2000 netservice svc-telnet tcp 23 netservice svc-lpd tcp 515 netservice svc-netbios-ssn tcp 139 netservice svc-sip-tcp tcp 5060 netservice svc-kerberos udp 88 netservice svc-tftp udp 69 netservice svc-pcoip-udp udp 50002 netservice svc-pcoip-tcp tcp 50002 netservice svc-http-proxy3 tcp 8888 netservice svc-noe udp 32512 netservice svc-cfgm-tcp tcp 8211 netservice svc-adp udp 8200 netservice svc-pop3 tcp 110 netservice svc-rtsp tcp 554 netservice svc-msrpc-tcp tcp 135 139 netservice svc-dns udp 53 netservice svc-h323-udp udp 1718 1719 netservice svc-h323-tcp tcp 1720 netservice svc-vocera udp 5002 netservice svc-http tcp 80 netservice svc-http-proxy2 tcp 8080 netservice svc-sip-udp udp 5060 netservice svc-nterm tcp 1026 1028 netservice svc-noe-oxo udp 5000 alg noe netservice svc-papi udp 8211 netservice svc-natt udp 4500 netservice svc-ftp tcp 21 netservice svc-microsoft-ds tcp 445 netservice svc-svp 119 netservice svc-smtp tcp 25 netservice svc-gre 47 netservice svc-netbios-ns udp 137 netservice svc-sips tcp 5061 netservice svc-smb-udp udp 445 netservice svc-ipp-tcp tcp 631 netservice svc-esp 50 netservice svc-pcoip2-udp udp 4172 netservice svc-v6-dhcp udp 546 547 netservice svc-snmp udp 161 netservice svc-bootp udp 67 69 netservice svc-msrpc-udp udp 135 139 netservice svc-ntp udp 123 netservice svc-icmp 1 netservice svc-ipp-udp udp 631 netservice svc-ssh tcp 22 netservice svc-v6-icmp 58 netservice svc-http-proxy1 tcp 3128 netservice svc-vmware-rdp tcp 3389 netdestination "tsa internal proxy" host 192.168.75.100 ! netdestination tsaVirtual-Hosts host 192.168.20.114 host 192.168.20.130 host 192.168.18.192 host 192.168.18.193 host 192.168.18.191 host 192.168.18.194 host 192.168.18.184 host 192.168.18.135 host 192.168.18.117 host 192.168.18.183 ! netexthdr default ! ip access-list session v6-icmp-acl ipv6 any any svc-v6-icmp permit ! ip access-list session control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ! ip access-list session validuser network 169.254.0.0 255.255.0.0 any any deny any any any permit ipv6 any any any permit ! ip access-list session v6-https-acl ipv6 any any svc-https permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session v6-dhcp-acl ipv6 any any svc-v6-dhcp permit ! ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session v6-dns-acl ipv6 any any svc-dns permit ! ip access-list session allowall any any any permit ipv6 any any any permit ! ip access-list session block-all any any any deny log ! ip access-list session https-acl any any svc-https permit ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ! ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session tsaVirtual any host 192.168.75.21 svc-http permit any host 192.168.75.21 svc-citrix permit any host 192.168.75.21 svc-ica permit ! ip access-list session v6-allowall ipv6 any any any permit ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session srcnat user any any src-nat ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session allow-printservices any any svc-lpd permit any any svc-ipp-tcp permit any any svc-ipp-udp permit ! ip access-list session cplogout user alias controller svc-https dst-nat 8081 ! ip access-list session v6-http-acl ipv6 any any svc-http permit ! ip access-list session http-acl any any svc-http permit ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ! ip access-list session tsaVirtual-Hosts any alias tsaVirtual-Hosts svc-citrix permit any alias tsaVirtual-Hosts svc-ica permit ! ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit ! ip access-list session dynamic-session-acl any any any src-nat pool dynamic-srcnat ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ! ip access-list session tsa-Proxy user alias "tsa internal proxy" tcp 8881 permit log ! ip access-list session v6-logon-control ipv6 user any udp 68 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-v6-dhcp permit ipv6 any any svc-dns permit ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! vpn-dialer default-dialer ike authentication PRE-SHARE 71f1fa4c060919018c116355c1e6338b884d61fa99871182 ! user-role ap-role access-list session control access-list session ap-acl ! user-role default-vpn-role access-list session allowall access-list session v6-allowall ! user-role PRE-TsaOpen captive-portal "tsaOpen" access-list session tsaVirtual access-list session tsaVirtual-Hosts access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6 access-list session block-all ! user-role TSAOpen-Guest access-list session tsa-Proxy access-list session http-acl access-list session https-acl access-list session dns-acl ! user-role voice access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acl ! user-role default-via-role access-list session allowall ! user-role guest-logon captive-portal "default" access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6 ! user-role guest access-list session tsa-Proxy access-list session http-acl access-list session https-acl access-list session dns-acl ! user-role stateful-dot1x ! user-role authenticated access-list session allowall access-list session v6-allowall ! user-role logon access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6 ! ! interface mgmt shutdown ! dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777 ! dialer group gsm_us init-string AT+CGDCONT=1,"IP","ISP.CINGULAR" dial-string ATD*99# ! dialer group gsm_asia init-string AT+CGDCONT=1,"IP","internet" dial-string ATD*99***1# ! dialer group vivo_br init-string AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99# ! vlan 2 vlan 3 vlan 10 interface gigabitethernet 1/0 description "GE1/0" trusted trusted vlan 1-3 switchport mode trunk switchport access vlan 2 switchport trunk allowed vlan 1-3 ! interface gigabitethernet 1/1 description "GE1/1" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/2 description "GE1/2" trusted trusted vlan 1-4094 ! interface gigabitethernet 1/3 description "GE1/3" trusted trusted vlan 1-4094 switchport access vlan 10 switchport trunk allowed vlan 20 ! interface vlan 1 ip address 192.168.80.1 255.255.0.0 ! interface vlan 2 ! interface vlan 10 ip address 10.10.11.200 255.255.255.0 operstate up ! interface vlan 3 operstate up ! vrrp 2 priority 110 ip address 192.168.80.3 vlan 1 preempt delay 0 no shutdown ! vrrp 3 ip address 192.168.80.4 vlan 1 preempt delay 0 no shutdown ! ip default-gateway 192.168.0.254 uplink disable ap mesh-recovery-profile cluster Recoveryn4duv0lF2XVJ711s wpa-hexkey # Removed crypto isakmp policy 20 encryption aes256 ! crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac crypto dynamic-map default-dynamicmap 10000 set transform-set "default-transform" "default-aes" ! localip 192.168.80.2 ipsec d06d6c27ddba552f32475f38a215a391de2d51b5520b74e0 localip 192.168.80.5 ipsec 7a71e5cb87c374c8da2eba86d2db4190 crypto isakmp eap-passthrough eap-tls crypto isakmp eap-passthrough eap-peap crypto isakmp eap-passthrough eap-mschapv2 vpdn group l2tp ! ! syslocation# Removed syscontact # Removed snmp-server community tsaWireless vpdn group pptp ! tunneled-node-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0 voice rtcp-inactivity disable voice sip-midcall-req-timeout disable ap ap-blacklist-time 3600 ssh mgmt-auth username/password mgmt-user # Removed ntp authenticate no database synchronize database synchronize rf-plan-data ip mobile domain default ! ip igmp ! ipv6 mld ! no firewall attack-rate cp 1024 firewall broadcast-filter arp ipv6 firewall ext-hdr-parse-len 100 ! firewall cp ! firewall cp packet-capture-defaults tcp all udp all sysmsg disable other disable ! ip domain lookup ! country GB aaa authentication mac "default" ! aaa authentication dot1x "default" ! aaa authentication dot1x "TSA-dot1x-prof" ! aaa authentication dot1x "TSA-Voip-dot1x" machine-authentication machine-default-role "authenticated" machine-authentication user-default-role "authenticated" ! aaa authentication-server radius "tsaWireless-Radius" host "192.168.0.2" key 8b4f2ea2a8d831c1bd31ffdc00375f7fe14c73fb3dd9b4d4 ! aaa authentication-server radius "tsaWireless-Radius-FailThru" host "192.168.0.3" key 9e03115f8ff2ce4381033bd7f3af7185f1a2879793e35ef5 ! aaa authentication-server ldap "TSA-AD-Server" host 192.168.0.3 admin-dn # Removed admin-passwd # Removed allow-cleartext base-dn # Removed filter "(objectclass=person)" ! aaa server-group "default" auth-server TSA-AD-Server auth-server Internal set role condition role value-of ! aaa server-group "LDAP" auth-server TSA-AD-Server auth-server Internal ! aaa server-group "Radius" auth-server tsaWireless-Radius-FailThru auth-server tsaWireless-Radius ! aaa profile "default" ! aaa profile "tsaOpen-AAA" initial-role "PRE-TsaOpen" dot1x-default-role "TSAOpen-Guest" ! aaa profile "tsaSecure-AAA" initial-role "authenticated" authentication-dot1x "default-psk" ! aaa profile "TsaVOIP-AAA" initial-role "authenticated" mac-default-role "authenticated" authentication-dot1x "default-psk" dot1x-default-role "authenticated" ! aaa profile "tsaWireless-AAA" authentication-dot1x "TSA-dot1x-prof" dot1x-default-role "authenticated" dot1x-server-group "Radius" ! aaa authentication captive-portal "default" login-page "/upload/custom/default/virtual-index.html" ! aaa authentication captive-portal "tsaOpen" default-guest-role "logon" server-group "LDAP" login-page "/upload/custom/tsaOpen/virtual-index.html" welcome-page "/upload/custom/tsaOpen/open-welcome.html" ! aaa authentication wispr "default" ! aaa authentication vpn "default" ! aaa authentication vpn "default-rap" ! aaa authentication mgmt ! aaa authentication stateful-ntlm "default" ! aaa authentication stateful-kerberos "default" ! aaa authentication stateful-dot1x ! aaa authentication wired ! web-server ! papi-security ! guest-access-email ! voice logging ! voice dialplan-profile "default" ! voice real-time-config ! voice sip ! aaa password-policy mgmt ! control-plane-security auto-cert-prov ! ids management-profile ! ids wms-general-profile poll-retries 3 ! ids wms-local-system-profile ! ids ap-rule-matching ! valid-network-oui-profile ! ap system-profile "default" ! ap system-profile "TSA-Sys-Profile" lms-ip 192.168.80.3 bkup-lms-ip 192.168.80.4 lms-preemption ! ap system-profile "TSA-Sys-Profile-BACKUP" lms-ip 192.168.80.4 bkup-lms-ip 192.168.80.3 lms-preemption ! ap regulatory-domain-profile "default" country-code GB valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 52 valid-11a-channel 56 valid-11a-channel 60 valid-11a-channel 64 valid-11a-channel 100 valid-11a-channel 104 valid-11a-channel 108 valid-11a-channel 112 valid-11a-channel 116 valid-11a-channel 120 valid-11a-channel 124 valid-11a-channel 128 valid-11a-channel 132 valid-11a-channel 136 valid-11a-channel 140 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 52-56 valid-11a-40mhz-channel-pair 60-64 valid-11a-40mhz-channel-pair 100-104 valid-11a-40mhz-channel-pair 108-112 valid-11a-40mhz-channel-pair 116-120 valid-11a-40mhz-channel-pair 124-128 valid-11a-40mhz-channel-pair 132-136 ! ap wired-ap-profile "default" ! ap enet-link-profile "default" ! ap mesh-ht-ssid-profile "default" ! ap mesh-cluster-profile "default" ! ap wired-port-profile "default" ! ap mesh-radio-profile "default" ! ids general-profile "default" ! ids rate-thresholds-profile "default" ! ids signature-profile "default" ! ids impersonation-profile "default" ! ids unauthorized-device-profile "default" ! ids signature-matching-profile "default" signature "Deauth-Broadcast" signature "Disassoc-Broadcast" ! ids dos-profile "default" ! ids profile "default" ! rf arm-profile "802.11a-LC-ARM" ! rf arm-profile "802.11g-LC-ARM" ! rf arm-profile "arm-maintain" assignment maintain no scanning ! rf arm-profile "arm-scan" ! rf arm-profile "default" ! rf arm-profile "TSA01009-arm-a" min-tx-power 30 ! rf arm-profile "TSA01009-arm-g" min-tx-power 30 ! rf optimization-profile "default" ! rf event-thresholds-profile "default" ! rf am-scan-profile "default" ! rf dot11a-radio-profile "802.11a-LC-radio-profile" arm-profile "802.11a-LC-ARM" ! rf dot11a-radio-profile "default" ! rf dot11a-radio-profile "rp-maintain-a" arm-profile "arm-maintain" ! rf dot11a-radio-profile "rp-monitor-a" mode am-mode ! rf dot11a-radio-profile "rp-scan-a" arm-profile "arm-scan" ! rf dot11a-radio-profile "TSA01009-radio-a" arm-profile "TSA01009-arm-a" ! rf dot11g-radio-profile "802.11g-LC-radio-profile" arm-profile "802.11g-LC-ARM" ! rf dot11g-radio-profile "default" ! rf dot11g-radio-profile "rp-maintain-g" arm-profile "arm-maintain" ! rf dot11g-radio-profile "rp-monitor-g" mode am-mode ! rf dot11g-radio-profile "rp-scan-g" arm-profile "arm-scan" ! rf dot11g-radio-profile "TSA01009-radio-g" arm-profile "TSA01009-arm-g" ! wlan dot11k-profile "default" ! wlan voip-cac-profile "default" ! wlan ht-ssid-profile "default" ! wlan edca-parameters-profile station "default" ! wlan edca-parameters-profile ap "default" ! wlan ssid-profile "default" ! wlan ssid-profile "TsaOpen-SSID" essid "tsaOpen" ! wlan ssid-profile "tsaSecure" essid "tsaDELME" ! wlan ssid-profile "TsaSecure-SSID" essid "tsaSecure" opmode wpa2-psk-aes hide-ssid wpa-passphrase # Removed ! wlan ssid-profile "TsaTest-SSId" essid "tsatest" opmode wpa2-psk-aes hide-ssid wpa-passphrase # Removed ! wlan ssid-profile "TsaVOIP-SSID" essid "tsaVoice" opmode wpa2-psk-aes hide-ssid wpa-passphrase # Removed ! wlan ssid-profile "TsaWireless-SSID" essid "tsaWireless" opmode wpa2-aes ! wlan virtual-ap "default" ! wlan virtual-ap "tsaOpen-VAP" aaa-profile "tsaOpen-AAA" ssid-profile "TsaOpen-SSID" vlan 1 broadcast-filter all deny-inter-user-traffic band-steering ! wlan virtual-ap "tsaSecure-VAP" aaa-profile "tsaSecure-AAA" ssid-profile "TsaSecure-SSID" vlan 1 broadcast-filter all band-steering ! wlan virtual-ap "TsaVOIP-VAP" aaa-profile "TsaVOIP-AAA" ssid-profile "TsaVOIP-SSID" vlan 10 ! wlan virtual-ap "tsaWireless-VAP" aaa-profile "tsaWireless-AAA" ssid-profile "TsaWireless-SSID" vlan 1 no blacklist broadcast-filter all band-steering ! ap provisioning-profile "default" ! ap spectrum local-override ! ap-group "default" ! ap-group "TSA-AP-Group" virtual-ap "tsaOpen-VAP" virtual-ap "tsaSecure-VAP" virtual-ap "tsaWireless-VAP" virtual-ap "TsaVOIP-VAP" ap-system-profile "TSA-Sys-Profile" ! ap-group "TSA-AP-Group-BACKUP" virtual-ap "tsaOpen-VAP" virtual-ap "tsaSecure-VAP" virtual-ap "tsaWireless-VAP" virtual-ap "TsaVOIP-VAP" ap-system-profile "TSA-Sys-Profile-BACKUP" ! ap-group "TSA-Leisure-Center" dot11a-radio-profile "802.11a-LC-radio-profile" dot11g-radio-profile "802.11g-LC-radio-profile" ap-system-profile "TSA-Sys-Profile" ! ap-name "TSA01009 - in T1" virtual-ap "tsaOpen-VAP" virtual-ap "tsaSecure-VAP" virtual-ap "tsaWireless-VAP" dot11a-radio-profile "TSA01009-radio-a" dot11g-radio-profile "TSA01009-radio-g" ! logging level debugging security process aaa logging level debugging security process authmgr logging level debugging security logging level debugging security subcat aaa logging level debugging security process authmgr subcat all logging level debugging security subcat dot1x logging level warnings security subcat ids logging level warnings security subcat ids-ap logging level debugging user subcat dot1x logging 192.168.75.253 snmp-server enable trap snmp-server host 192.168.75.12 version 1 tsaWireless udp-port 162 process monitor log end