(sr-ls-awmsctrl) #show run Building Configuration... version 6.5 enable secret "******" hostname "sr-ls-awmsctrl" clock timezone CST -6 location "Building1.floor1" controller config 13 crypto-local pki TrustedCA sr-root sr-root.pem crypto-local pki ServerCert csr csr.pem crypto-local pki ServerCert SR-Root sr-root.pfx crypto-local pki rcp "sr-root" revocation-check none ! ip NAT pool dynamic-srcnat 0.0.0.0 0.0.0.0 ip access-list geolocation global-geolocation-acl ! ip access-list eth validuserethacl permit any ! netservice svc-ipp-tcp tcp 631 netservice svc-dhcp udp 67 68 alg dhcp netservice svc-citrix tcp 2598 netservice svc-pcoip-udp udp 50002 netservice svc-netbios-ssn tcp 139 netservice svc-tftp udp 69 alg tftp netservice svc-papi udp 8211 netservice svc-ica tcp 1494 netservice svc-natt udp 4500 netservice svc-lpd tcp 515 netservice svc-microsoft-ds tcp 445 netservice svc-syslog udp 514 netservice svc-msrpc-tcp tcp 135 139 netservice svc-msrpc-udp udp 135 139 netservice svc-smtp tcp 25 netservice svc-http-proxy2 tcp 8080 netservice svc-cfgm-tcp tcp 8211 netservice vnc tcp 5900 5905 netservice svc-web tcp list "80 443" netservice svc-h323-udp udp 1718 1719 netservice svc-sccp tcp 2000 alg sccp netservice svc-http tcp 80 netservice svc-bootp udp 67 69 netservice svc-telnet tcp 23 netservice svc-vmware-rdp tcp 3389 netservice svc-ipp-udp udp 631 netservice svc-noe-oxo udp 5000 alg noe netservice svc-vocera udp 5002 alg vocera netservice svc-esp 50 netservice svc-http-proxy1 tcp 3128 netservice svc-sec-papi udp 8209 netservice svc-l2tp udp 1701 netservice svc-rtsp tcp 554 alg rtsp netservice svc-gre 47 netservice svc-sip-tcp tcp 5060 netservice svc-pptp tcp 1723 netservice svc-snmp udp 161 netservice svc-svp 119 alg svp netservice svc-icmp 1 netservice svc-smb-tcp tcp 445 netservice svc-pcoip2-tcp tcp 4172 netservice svc-v6-icmp 58 netservice svc-ssh tcp 22 netservice svc-h323-tcp tcp 1720 netservice svc-ntp udp 123 netservice svc-pop3 tcp 110 netservice svc-netbios-ns udp 137 netservice svc-adp udp 8200 netservice svc-v6-dhcp udp 546 547 netservice svc-dns udp 53 alg dns netservice svc-netbios-dgm udp 138 netservice svc-http-proxy3 tcp 8888 netservice svc-sip-udp udp 5060 netservice svc-kerberos udp 88 netservice svc-sips tcp 5061 alg sips netservice svc-pcoip2-udp udp 4172 netservice svc-pcoip-tcp tcp 50002 netservice svc-noe udp 32512 alg noe netservice svc-nterm tcp 1026 1028 netservice svc-ike udp 500 netservice svc-snmp-trap udp 162 netservice svc-https tcp 443 netservice svc-smb-udp udp 445 netservice svc-ftp tcp 21 alg ftp netdestination6 ipv6-reserved-range invert network 2000::/3 ! netdestination Internal-Network network 192.111.25.0 255.255.255.0 ! netdestination google_play_store description "Play_store_access" name android.clients.google.com name .ggpht.com name play.google.com ! netdestination ios_whitelist description "ios_applestore" name .apple.com name .akamaiedge.net name .apple.com.edgekey.net name .whois.arin.net name www.airport.us name www.itools.info name www.ibooks.info name www.thinkdifferent.us ! netexthdr default ! time-range working-hours periodic weekday 08:00 to 18:00 ! time-range night-hours periodic weekday 18:01 to 23:59 weekday 00:00 to 07:59 ! time-range weekend periodic weekend 00:00 to 23:59 ! ip access-list session apprf-GuestX-logon-sacl ! ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit ! ip access-list session apprf-stateful-dot1x-sacl ! ip access-list session apprf-voice-sacl ! ip access-list session apprf-default-vpn-role-sacl ! ip access-list session logon-control any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 169.254.0.0 255.255.0.0 any deny any network 240.0.0.0 240.0.0.0 any deny any host 10.130.60.8 svc-http permit any host 10.130.60.8 svc-https permit user any udp 68 deny ! ip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 224.0.0.251 udp 5353 permit ! ip access-list session v6-http-acl ipv6 any any svc-http permit ! ip access-list session v6-logon-control ipv6 user any udp 68 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-v6-dhcp permit ipv6 any any svc-dns permit ipv6 any network fc00::/7 any permit ipv6 any network fe80::/64 any permit ipv6 any alias ipv6-reserved-range any deny ! ip access-list session http-acl any any svc-http permit ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session apprf-Contractor-sacl ! ip access-list session block-internal-access user alias Internal-Network any deny ! ip access-list session apprf-VIA-Remote-sacl ! ip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ! ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ! ip access-list session srcnat user any any src-nat ! ip access-list session apprf-Guestz-guest-logon-sacl ! ip access-list session global-sacl ! ip access-list session ICMP ! ip access-list session v6-dhcp-acl ipv6 any any svc-v6-dhcp permit ! ip access-list session cplogout user alias controller svc-https dst-nat 8081 user alias mswitch svc-https dst-nat 8081 ! ip access-list session clearpass-allownew user host 10.130.60.8 svc-http permit user host 10.130.60.8 svc-https permit any alias google_play_store any permit any alias ios_whitelist any permit ! ip access-list session apprf-captiveportal_logon-sacl ! ip access-list session apprf-authenticated-sacl ! ip access-list session CaptivePortal-ACL user host 10.130.60.8 svc-http permit user host 10.130.60.8 svc-https permit ! ip access-list session clearpass-allow user host 10.130.60.8 svc-http permit user host 10.130.60.8 svc-https permit any alias google_play_store any permit any alias ios_whitelist any permit ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session v6-control ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ! ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ! ip access-list session apprf-guest-sacl ! ip access-list session dynamic-session-acl any any any src-nat pool dynamic-srcnat ! ip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user any svc-ftp permit ! ip access-list session apprf-WPA2_Enforce-sacl ! ip access-list session apprf-default-via-role-sacl ! ip access-list session v6-allowall ipv6 any any any permit ! ip access-list session v6-icmp-acl ipv6 any any svc-v6-icmp permit ! ip access-list session apprf-Employee-sacl ! ip access-list session validuser network 127.0.0.0 255.0.0.0 any any deny network 169.254.0.0 255.255.0.0 any any deny network 224.0.0.0 240.0.0.0 any any deny host 255.255.255.255 any any deny network 240.0.0.0 240.0.0.0 any any deny any any any permit ipv6 host fe80:: any any deny ipv6 network fc00::/7 any any permit ipv6 network fe80::/64 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ! ip access-list session v6-dns-acl ipv6 any any svc-dns permit ! ip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session v6-https-acl ipv6 any any svc-https permit ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! ip access-list session allowall any any any permit ! ip access-list session allow-printservices any any svc-lpd permit any any svc-ipp-tcp permit any any svc-ipp-udp permit ! ip access-list session https-acl any any svc-https permit ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session apprf-auth-sacl ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit user any svc-ftp permit any any svc-ssh permit ! ip access-list session apprf-Others-login-sacl ! ip access-list session captiveportalnew user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session auth-guest-access user any svc-http permit user any svc-https permit ! ip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ! ip access-list session control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-papi permit any any svc-sec-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list route master-boc-traffic ! aaa derivation-rules user Testing set role condition essid contains "SR-Test2" set-value guest-logon description "Testing" ! vpn-dialer default-dialer ike authentication PRE-SHARE ****** ! user-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall ! user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acl ! user-role Contractor no captive-portal check-for-accounting captive-portal "Contractor-cp_prof" access-list session global-sacl access-list session apprf-Contractor-sacl access-list session clearpass-allow access-list session captiveportalnew access-list session logon-control access-list session block-internal-access access-list session auth-guest-access access-list session allowall ! user-role sys-ap-role ! user-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacl ! user-role guest-logon captive-portal "default" access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6 ! user-role Guestz-guest-logon reauthentication-interval 1 captive-portal "Guestz-cp_prof" access-list session global-sacl access-list session apprf-Guestz-guest-logon-sacl access-list session clearpass-allow access-list session captiveportal access-list session logon-control access-list session block-internal-access access-list session auth-guest-access ! user-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acl ! user-role Employee access-list session global-sacl access-list session apprf-Employee-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acl access-list session allowall ! user-role GuestX-logon captive-portal "Others2-cp_prof" access-list session global-sacl access-list session apprf-GuestX-logon-sacl access-list session logon-control access-list session captiveportal access-list session block-internal-access access-list session auth-guest-access ! user-role Others-login captive-portal "Others-cp_prof" access-list session global-sacl access-list session apprf-Others-login-sacl access-list session clearpass-allownew access-list session captiveportal access-list session logon-control access-list session block-internal-access access-list session auth-guest-access ! user-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowall ! user-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6 ! user-role captiveportal_logon captive-portal "NWS_CaptivePortal" access-list session global-sacl access-list session apprf-captiveportal_logon-sacl access-list session clearpass-allow access-list session CaptivePortal-ACL access-list session logon-control access-list session captiveportal ! user-role VIA-Remote access-list session global-sacl access-list session apprf-VIA-Remote-sacl access-list session allowall ! user-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowall ! user-role auth max-sessions 65535 access-list session global-sacl access-list session apprf-auth-sacl ! user-role WPA2_Enforce captive-portal "default" access-list session global-sacl access-list session apprf-WPA2_Enforce-sacl access-list session clearpass-allownew access-list session captiveportal access-list session logon-control ! user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acl access-list session allowall access-list session block-internal-access access-list session auth-guest-access ! user-role default-iap-user-role access-list session allowall ! ! aaa timers idle-timeout 7200 seconds controller-ip vlan 250 no kernel coredump interface mgmt ip address 10.10.10.39 255.255.255.0 ! dialer group evdo_us init-string ATQ0V1E0 dial-string ATDT#777 ! dialer group gsm_us init-string AT+CGDCONT=1,"IP","ISP.CINGULAR" dial-string ATD*99# ! dialer group gsm_asia init-string AT+CGDCONT=1,"IP","internet" dial-string ATD*99***1# ! dialer group vivo_br init-string AT+CGDCONT=1,"IP","zap.vivo.com.br" dial-string ATD*99# ! vlan 11 vlan 12 vlan 192 vlan 250 vlan 401 no spanning-tree interface gigabitethernet 0/0/0 description "GE0/0/0" trusted trusted vlan 1-4094 switchport mode trunk switchport access vlan 250 switchport trunk native vlan 192 switchport trunk allowed vlan 11-12,192,249-251,300-301,401-406,417 ! interface gigabitethernet 0/0/1 description "GE0/0/1" shutdown trusted trusted vlan 1-4094 switchport mode trunk switchport trunk native vlan 192 switchport trunk allowed vlan 11-12,192,249-251,300-301,401-406,417 ! interface gigabitethernet 0/0/2 description "GE0/0/2" shutdown trusted trusted vlan 1-4094 ! interface gigabitethernet 0/0/3 description "GE0/0/3" trusted trusted vlan 1-4094 ! interface gigabitethernet 0/0/4 description "GE0/0/4" trusted trusted vlan 1-4094 ! interface gigabitethernet 0/0/5 description "GE0/0/5" trusted trusted vlan 1-4094 ! interface port-channel 0 shutdown trusted vlan 1-4094 ! interface port-channel 1 shutdown trusted vlan 1-4094 ! interface port-channel 2 shutdown trusted vlan 1-4094 ! interface port-channel 3 shutdown trusted vlan 1-4094 ! interface port-channel 4 shutdown trusted vlan 1-4094 ! interface vlan 250 ip address 10.130.60.3 255.255.254.0 no ip routing ip helper-address 10.10.10.36 ip helper-address 192.111.25.242 ! interface vlan 1 ipv6 address 2001::1/64 ! interface vlan 192 ! interface vlan 12 ip address dhcp-client no ip routing ! interface vlan 401 ip address 10.130.64.3 255.255.254.0 shutdown ! ! master-redundancy master-vrrp 250 peer-ip-address 10.130.60.4 ipsec 39f4958b6c5fe4f922d7a534a04c98d1e0f15a9395522113 ! vrrp 250 priority 120 authentication tester ip address 10.130.60.5 description "ACT-MST" vlan 250 advertise 5 tracking master-up-time 30 add 20 no shutdown ! ! ip default-gateway 10.130.60.1 no uplink wired vlan 1 uplink disable ip nexthop-list pan-gp-ipsec-map-list ! crypto isakmp policy 20 encryption aes256 ! crypto isakmp policy 10001 ! crypto isakmp policy 10002 encryption aes256 authentication rsa-sig ! crypto isakmp policy 10003 encryption aes256 ! crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sig ! crypto isakmp policy 10005 encryption aes256 ! crypto isakmp policy 10006 version v2 encryption aes256 authentication rsa-sig ! crypto isakmp policy 10007 version v2 encryption aes128 ! crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256 ! crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384 ! crypto isakmp policy 10012 version v2 encryption aes256 authentication rsa-sig ! crypto isakmp policy 10013 encryption aes256 ! crypto-local isakmp ca-certificate "sr-root" crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmac crypto ipsec transform-set default-boc-bm-transform esp-aes256 esp-sha-hmac crypto ipsec transform-set default-1st-ikev2-transform esp-aes256 esp-sha-hmac crypto ipsec transform-set default-3rd-ikev2-transform esp-aes128 esp-sha-hmac crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac crypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set "default-gcm256" "default-gcm128" "default-3rd-ikev2-transform" "default-rap-transform" ! crypto dynamic-map default-dynamicmap 10000 set transform-set "default-transform" "default-aes" ! crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmap crypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmap crypto isakmp eap-passthrough eap-tls crypto isakmp eap-passthrough eap-peap crypto isakmp eap-passthrough eap-mschapv2 vpdn group l2tp client configuration dns 192.111.25.243 ppp authentication MSCHAPv2 ppp authentication EAP ! ip dhcp excluded-address 10.130.60.1 10.130.60.20 ip dhcp excluded-address 10.130.64.1 10.130.64.32 ip dhcp pool SRWLAN default-router 10.130.60.1 dns-server 192.111.25.243 domain-name sr.nws.noaa.gov lease 1 0 0 0 network 10.130.60.0 255.255.254.0 authoritative ! ip dhcp pool SRHWLAN default-router 10.130.64.1 dns-server 192.111.25.243 domain-name sr.nws.noaa.gov lease 1 0 0 0 network 10.130.64.0 255.255.254.0 authoritative ! service dhcp ! syslocation "819 Taylor Street" syscontact "Network WLAN Team" snmp-server community "2bOr~otg4o" vpdn group pptp ! tunneled-node-address 0.0.0.0 ap-crash-transfer adp discovery enable adp igmp-join enable adp igmp-vlan 0 voice rtcp-inactivity disable voice alg-based-cac enable voice sip-midcall-req-timeout disable ap ap-blacklist-time 3600 ap flush-r1-on-new-r0 disable amon msg-buffer-size 1400 mgmt-server type amp primary-server 10.130.60.6 profile default-amp stm mon-update-queue 66816 no ssh mgmt-auth public-key ssh mgmt-auth username/password mgmt-user admin root f5b7207b01ec0ac2615232230bb59297e3889abb4f12cb7014 ! database synchronize period 25 ip mobile domain default ! ! ! airgroup mdns "disable" ! airgroup dlna "disable" ! airgroup location-discovery "enable" ! ! airgroup active-wireless-discovery "disable" ! airgroupservice "airplay" id "_airplay._tcp" id "_raop._tcp" id "_appletv-v2._tcp" description "AirPlay" ! airgroupservice "airprint" id "_ipp._tcp" id "_pdl-datastream._tcp" id "_printer._tcp" id "_scanner._tcp" id "_http._tcp" id "_http-alt._tcp" id "_ipp-tls._tcp" id "_fax-ipp._tcp" id "_riousbprint._tcp" id "_ica-networking._tcp" id "_ptp._tcp" id "_canon-bjnp1._tcp" id "_ipps._tcp" id "_ica-networking2._tcp" id "_universal._sub._ipp._tcp" id "_universal._sub._ipps._tcp" id "_printer._sub._http._tcp" id "_cups._sub._ipp._tcp" id "_cups._sub._fax-ipp._tcp" description "AirPrint" ! airgroupservice "itunes" id "_home-sharing._tcp" id "_apple-mobdev._tcp" id "_daap._tcp" id "_dacp._tcp" description "iTunes" ! airgroupservice "remotemgmt" id "_ssh._tcp" id "_sftp-ssh._tcp" id "_ftp._tcp" id "_telnet._tcp" id "_rfb._tcp" id "_net-assistant._tcp" description "Remote management" ! airgroupservice "sharing" id "_odisk._tcp" id "_afpovertcp._tcp" id "_xgrid._tcp" description "Sharing" ! airgroupservice "chat" id "_presence._tcp" description "Chat" ! airgroupservice "googlecast" id "_googlecast._tcp" description "GoogleCast supported by Chromecast etc" ! airgroupservice "AmazonTV" id "_amzn-wplay._tcp" description "Amazon fire tv" ! airgroupservice "DIAL" id "urn:dial-multiscreen-org:service:dial:1" id "urn:dial-multiscreen-org:device:dial:1" description "DIAL supported by Chromecast, FireTV, Roku etc" ! airgroupservice "DLNA Media" id "urn:schemas-upnp-org:device:MediaServer:1" id "urn:schemas-upnp-org:device:MediaServer:2" id "urn:schemas-upnp-org:device:MediaServer:3" id "urn:schemas-upnp-org:device:MediaServer:4" id "urn:schemas-upnp-org:device:MediaRenderer:1" id "urn:schemas-upnp-org:device:MediaRenderer:2" id "urn:schemas-upnp-org:device:MediaRenderer:3" id "urn:schemas-upnp-org:device:MediaPlayer:1" description "Media" ! airgroupservice "DLNA Print" id "urn:schemas-upnp-org:device:Printer:1" id "urn:schemas-upnp-org:service:PrintBasic:1" id "urn:schemas-upnp-org:service:PrintEnhanced:1" description "Print" ! airgroupservice "allowall" description "Remaining-Services" ! airgroup service "airplay" enable ! airgroup service "airprint" enable ! airgroup service "itunes" enable ! airgroup service "remotemgmt" enable ! airgroup service "sharing" enable ! airgroup service "chat" enable ! airgroup service "googlecast" enable ! airgroup service "AmazonTV" enable ! airgroup service "DIAL" enable ! airgroup service "DLNA Media" enable ! airgroup service "DLNA Print" enable ! airgroup service "allowall" enable ! ip igmp ! ipv6 mld ! firewall attack-rate grat-arp 50 drop firewall web-cc firewall ip-classification ipv6 enable ipv6 firewall ext-hdr-parse-len 100 ! ! firewall cp ipv6 permit any proto 17 ports 49170 49200 ! ip domain lookup ! ip name-server 192.111.25.243 ! country US aaa rfc-3576-server "10.130.60.10" ! aaa rfc-3576-server "10.130.60.8" key 0b40c4d36631537a0eb645e11e7ca9799aa88533a9ba482b625d57b23bdc1996708736d310e1b156db9b3e99905e8aa51d40ee4fe05412fe9b4a361d7ee4b68d ! aaa rfc-3576-server "10.130.60.9" key 2d21dcec464e63485381a9b227bcc0b188b991eb460dacd0be5665bf365896ef02f33a2d116b51611e4e40b7f502feaa55d192f0b4298981936b8bd1b1d3483a ! aaa authentication mac "default" ! aaa authentication mac "Staff-MAC" delimiter colon ! aaa authentication mac "Test2" max-authentication-failures 5 ! aaa authentication mac "Tester" delimiter colon reauthentication ! aaa authentication dot1x "default" ! aaa authentication dot1x "dot1x_prof-gso63" ! aaa authentication dot1x "dot1x_prof-lpr86" ! aaa authentication dot1x "Guestz_Auth" ! aaa authentication dot1x "Contractor_Auth" max-authentication-failures 5 termination eap-type eap-peap termination inner-eap-type eap-mschapv2 termination inner-eap-type eap-gtc ! aaa authentication dot1x "Others" ! aaa authentication dot1x "Others2" ! aaa authentication dot1x "Others_Auth" max-authentication-failures 5 ! aaa authentication dot1x "SR-Test" termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2 server-cert "SR-Root" ! aaa authentication dot1x "SR-Test2" max-authentication-failures 5 ! sso idp-profile "Access" ! aaa authentication-server radius "ClearPass_1" host "10.130.60.8" key 8ea0783e8373343e973f2952145c462e9514ce1631c47ac5 cppm username "appadmin" password fef5c71a1fc56e032ce98418af507fc1be8d65bdc609b9b9eefc3ebb6ef0fb45d1f614384c97fdd816cbe51af9bc012e1fe21471503520fb949e3bf673c61cb9 ! aaa authentication-server radius "ClearPass_2" host "10.130.60.9" key 65ef44f5d5851eb687ebe8a59482e671ea22c1862507455e33f78ac822f64ec72d8a87448e4eeebbb6ad876b90e30126b48c8327ac61508b871dd5d2bfcfa745 ! aaa authentication-server radius "ClearPass_3" host "10.130.60.10" key 33410a42c201db6c35502f5eff0bf91ac4607f2743f95656 ! aaa authentication-server ldap "Mountain" ! aaa server-group "ClearPass" auth-server ClearPass_1 auth-server ClearPass_2 auth-server ClearPass_3 ! aaa server-group "default" auth-server ClearPass_1 auth-server ClearPass_2 set role condition role value-of ! aaa server-group "no-mac-auth" allow-fail-through ! aaa server-group "Guestz_srvgrp-rmw73" auth-server ClearPass_1 auth-server ClearPass_2 ! aaa server-group "Employeez_srvgrp-rxp63" auth-server ClearPass_1 auth-server ClearPass_2 auth-server ClearPass_3 ! aaa server-group "Contractor" auth-server ClearPass_1 auth-server ClearPass_2 auth-server ClearPass_3 ! aaa server-group "Secure_srvgrp-tmo69" auth-server ClearPass_1 auth-server ClearPass_2 ! aaa server-group "Secured_srvgrp-rxp63" auth-server ClearPass_3 auth-server ClearPass_2 auth-server ClearPass_1 ! aaa server-group "Others" auth-server ClearPass_1 auth-server ClearPass_2 ! aaa server-group "Others2" auth-server ClearPass_1 auth-server ClearPass_2 ! aaa server-group "SR-Test2" auth-server ClearPass_1 ! aaa server-group "SR-Test_srvgrp-rxp63" auth-server Internal ! aaa profile "CaptPort-aaa_prf" initial-role "captiveportal_logon" authentication-mac "default" mac-server-group "ClearPass" radius-accounting "ClearPass" rfc-3576-server "10.130.60.8" ! aaa profile "default" ! aaa profile "GuestX-aaa-profile" initial-role "guest" ! aaa profile "Guestz-aaa_prof" initial-role "guest" mac-server-group "ClearPass" authentication-dot1x "Guestz_Auth" dot1x-server-group "Guestz_srvgrp-rmw73" radius-accounting "ClearPass" rfc-3576-server "10.130.60.10" rfc-3576-server "10.130.60.8" rfc-3576-server "10.130.60.9" ! aaa profile "Employeez-aaa_prof" mac-server-group "internal" authentication-dot1x "default" dot1x-default-role "authenticated" dot1x-server-group "Employeez_srvgrp-rxp63" ! aaa profile "Contractor-aaa_prof" initial-role "Contractor" mac-server-group "ClearPass" authentication-dot1x "Contractor_Auth" dot1x-server-group "Contractor" radius-accounting "ClearPass" rfc-3576-server "10.130.60.10" rfc-3576-server "10.130.60.8" rfc-3576-server "10.130.60.9" ! aaa profile "Secure-aaa_prof" authentication-dot1x "dot1x_prof-gso63" dot1x-default-role "authenticated" dot1x-server-group "Secure_srvgrp-tmo69" ! aaa profile "Secured-aaa_prof" authentication-dot1x "dot1x_prof-lpr86" dot1x-default-role "authenticated" dot1x-server-group "Secured_srvgrp-rxp63" ! aaa profile "Others-aaa_prof" initial-role "guest" mac-server-group "internal" authentication-dot1x "Others" rfc-3576-server "10.130.60.10" rfc-3576-server "10.130.60.8" rfc-3576-server "10.130.60.9" ! aaa profile "Others2" initial-role "guest" mac-server-group "internal" authentication-dot1x "Others2" ! aaa profile "SR-Test-aaa_prof" authentication-mac "Tester" mac-server-group "SR-Test_srvgrp-rxp63" authentication-dot1x "SR-Test" dot1x-default-role "authenticated" dot1x-server-group "SR-Test_srvgrp-rxp63" ! aaa profile "SR-Test2" initial-role "Others-login" mac-server-group "ClearPass" authentication-dot1x "SR-Test2" dot1x-server-group "SR-Test2" radius-accounting "ClearPass" ! aaa authentication captive-portal "default" ! aaa authentication captive-portal "NWS_CaptivePortal" server-group "ClearPass" no logout-popup-window max-authentication-failures 5 login-page "http://sr-ls-cpass01.sr.nws.noaa.gov/guest/NWS_provisioning.php?_browser=1" switchip-in-redirection-url ! aaa authentication captive-portal "Guestz-cp_prof" server-group "Guestz_srvgrp-rmw73" login-page "https://sr-ls-cpass01.sr.nws.noaa.gov/guest/nws_guest_register.php" single-session white-list "google_play_store" apple-cna-bypass ! aaa authentication captive-portal "Contractor-cp_prof" default-role "Contractor" server-group "Contractor" no logout-popup-window max-authentication-failures 3 auth-protocol MSCHAPv2 login-page "https://sr-ls-cpass01.sr.nws.noaa.gov/guest/nws_partner_register_2.php?_browser=1" apple-cna-bypass ! aaa authentication captive-portal "Others-cp_prof" redirect-pause 5 no logout-popup-window protocol-http max-authentication-failures 5 auth-protocol MSCHAPv2 no enable-welcome-page user-idle-timeout 300 ! aaa authentication captive-portal "Others2-cp_prof" no logout-popup-window max-authentication-failures 5 auth-protocol MSCHAPv2 login-page "https://10.10.10.39/cgi-bin/login?profile=Others2-cp_prof" no enable-welcome-page ! aaa authentication captive-portal "SR-Test2" login-page "https://sr-ls-cpass01.sr.nws.noaa.gov/guest/nws_partner_register_2.php?_browser=1" single-session show-acceptable-use-policy apple-cna-bypass ! aaa authentication wispr "default" ! aaa authentication vpn "default" ! aaa authentication vpn "default-rap" ! aaa authentication mgmt ! aaa authentication stateful-ntlm "default" ! aaa authentication stateful-kerberos "default" ! aaa authentication stateful-dot1x ! aaa authentication wired ! web-server profile switch-cert "csr" ! guest-access-email ! voice logging ! voice dialplan-profile "default" ! app skype4b traffic-control "default" ! voice real-time-config ! voice wificalling ! voice facetime ! voice sip ! aaa password-policy mgmt ! control-plane-security ! ids management-profile ! ids wms-general-profile ! ids wms-local-system-profile ! ids ap-rule-matching ! valid-network-oui-profile ! upgrade-profile ! license profile centralized-licensing-enable ! activate-service-whitelist ! file syncing profile ! papi-security ! ifmap cppm ! pan profile "default" ! pan-options ! pan active-profile ! lcd-menu ! ap system-profile "default" lms-ip 10.130.60.3 bkup-lms-ip 10.130.60.4 lms-preemption telnet ap-console-password 1f5a7070435a6f5c65375d6d4e125a1756e2100ca9455058 bkup-passwords b85a50da2fe71124f2cf5780edb631ee09e41c3ee79af4a401817d1157f35c0775d964c0f0b05b7425e3d454373acd62f377398ecd2c8661be060378d74f26d7 ! ap regulatory-domain-profile "default" country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161 valid-11a-80mhz-channel-group 36-48 valid-11a-80mhz-channel-group 149-161 ! ap wired-ap-profile "default" ! ap wired-ap-profile "SR-Wired" wired-ap-enable trusted forward-mode bridge switchport mode trunk switchport trunk native vlan 192 ! ap enet-link-profile "default" ! ap mesh-ht-ssid-profile "default" ! ap lldp med-network-policy-profile "default" ! ap mesh-cluster-profile "default" ! ap lldp profile "default" ! ap mesh-radio-profile "default" ! ap wired-port-profile "default" ! ap wired-port-profile "SR-Bridge" wired-ap-profile "SR-Wired" bridge-role "authenticated" ! ids general-profile "default" ! ids rate-thresholds-profile "default" ! ids signature-profile "default" ! ids impersonation-profile "default" ! ids unauthorized-device-profile "default" ! ids signature-matching-profile "default" signature "Deauth-Broadcast" signature "Disassoc-Broadcast" ! ids dos-profile "default" ! ids profile "default" ! rf arm-profile "arm-maintain" assignment maintain no scanning ! rf arm-profile "arm-scan" ! rf arm-profile "default-a" max-tx-power 18 min-tx-power 12 ! rf arm-profile "default-g" max-tx-power 9 min-tx-power 6 free-channel-index 40 ! rf optimization-profile "default" ! rf event-thresholds-profile "default" ! rf am-scan-profile "default" ! rf dot11a-radio-profile "default" ! rf dot11a-radio-profile "rp-maintain-a" arm-profile "arm-maintain" ! rf dot11a-radio-profile "rp-monitor-a" mode am-mode ! rf dot11a-radio-profile "rp-scan-a" arm-profile "arm-scan" ! rf dot11g-radio-profile "default" ! rf dot11g-radio-profile "rp-maintain-g" arm-profile "arm-maintain" ! rf dot11g-radio-profile "rp-monitor-g" mode am-mode ! rf dot11g-radio-profile "rp-scan-g" arm-profile "arm-scan" ! wlan handover-trigger-profile "default" ! wlan rrm-ie-profile "default" ! wlan bcn-rpt-req-profile "default" ! wlan dot11r-profile "default" ! wlan tsm-req-profile "default" ! wlan voip-cac-profile "default" ! wlan ht-ssid-profile "default" ! wlan hotspot anqp-venue-name-profile "default" ! wlan hotspot anqp-nwk-auth-profile "default" ! wlan hotspot anqp-roam-cons-profile "default" ! wlan hotspot anqp-nai-realm-profile "default" ! wlan hotspot anqp-3gpp-nwk-profile "default" ! wlan hotspot h2qp-operator-friendly-name-profile "default" ! wlan hotspot h2qp-wan-metrics-profile "default" ! wlan hotspot h2qp-conn-capability-profile "default" ! wlan hotspot h2qp-op-cl-profile "default" ! wlan hotspot anqp-ip-addr-avail-profile "default" ! wlan hotspot anqp-domain-name-profile "default" ! wlan edca-parameters-profile station "default" ! wlan edca-parameters-profile ap "default" ! wlan dot11k-profile "default" ! wlan dot11k-profile "Others" ! wlan ssid-profile "CaptPort-SSID_prof" essid "CaptPort" hide-ssid ! wlan ssid-profile "default" essid "BMX-AP" ! wlan ssid-profile "Guest-Test" essid "Guest-test" ! wlan ssid-profile "SR-BYOD" essid "SR-BYOD" ! wlan ssid-profile "Guestz-ssid_prof" essid "Guestz" opmode wpa2-psk-aes hide-ssid wpa-passphrase ccf027214e5feb8993968f825150095ad4081c0d813726d5 ! wlan ssid-profile "Employeez" essid "Employeez" opmode wpa2-aes ! wlan ssid-profile "Employeez-AMA" essid "Employeez" opmode wpa2-aes ! wlan ssid-profile "Contractor" essid "Contractor" opmode wpa2-psk-aes hide-ssid wpa-passphrase a7aa4564d5d1d60098ab78724964512db3760e942a1d6a7e ! wlan ssid-profile "Secure-ssid_prof" essid "Secure" opmode wpa2-aes ! wlan ssid-profile "Secured-ssid_prof" essid "Secured" opmode wpa2-aes hide-ssid ! wlan ssid-profile "Others" essid "Others" opmode wpa2-psk-aes hide-ssid wpa-passphrase 587ba4153b417bf46b16d0daee51a977ae80da67b85183b7 ! wlan ssid-profile "Others2" essid "Others2" opmode wpa2-psk-aes hide-ssid wpa-passphrase 66d88d43f412ab039082d070a2082eb85e6453c578f48061 ! wlan ssid-profile "SR-Test" essid "SR-Test" opmode wpa2-aes ! wlan ssid-profile "SR-Test2" essid "SR-Test2" opmode wpa2-psk-aes wpa-passphrase d050b26b70117b98acce7f841e59f1fd91f95570ac1a0c97 ! wlan hotspot advertisement-profile "default" ! wlan hotspot hs2-profile "default" ! wlan virtual-ap "default" ! wlan virtual-ap "SR-ABQ" aaa-profile "Employeez-aaa_prof" ssid-profile "Employeez" vlan 1 forward-mode bridge ! wlan virtual-ap "SR-AMA" aaa-profile "Employeez-aaa_prof" ssid-profile "Employeez-AMA" vlan 1 forward-mode bridge ! wlan virtual-ap "SR-CaptPort-vap_prof" aaa-profile "CaptPort-aaa_prf" ssid-profile "CaptPort-SSID_prof" vlan 250 ! wlan virtual-ap "Guestz-vap_prof" aaa-profile "Guestz-aaa_prof" ssid-profile "Guestz-ssid_prof" vlan 250 ! wlan virtual-ap "Employeez" aaa-profile "Employeez-aaa_prof" ssid-profile "Employeez" vlan 12 ! wlan virtual-ap "Contractors" aaa-profile "Contractor-aaa_prof" ssid-profile "Contractor" vlan 250 no blacklist ! wlan virtual-ap "Secure-vap_prof" aaa-profile "Secure-aaa_prof" ssid-profile "Secure-ssid_prof" no vap-enable vlan 250 ! wlan virtual-ap "Secured-vap_prof" aaa-profile "Secured-aaa_prof" ssid-profile "Secured-ssid_prof" vlan 12 ! wlan virtual-ap "Others" aaa-profile "Others-aaa_prof" ssid-profile "Others" vlan 250 ! wlan virtual-ap "Others2" aaa-profile "Others2" ssid-profile "Others2" vlan 250 ! wlan virtual-ap "SR-Test" aaa-profile "SR-Test-aaa_prof" ssid-profile "SR-Test" no blacklist ! wlan virtual-ap "SR-Test2" aaa-profile "default-dot1x-psk" ssid-profile "SR-Test2" vlan 401 ! ap provisioning-profile "default" ! rf arm-rf-domain-profile arm-rf-domain-key "ba4bd27f6defba3b7277d34a0c10c861" ! ap spectrum local-override ! ap-lacp-striping-ip ! ap general-profile ! ap-group "default" ! ap-group "SR-AP" virtual-ap "Guestz-vap_prof" virtual-ap "Contractors" virtual-ap "Employeez" virtual-ap "Others" virtual-ap "SR-CaptPort-vap_prof" virtual-ap "SR-Test" virtual-ap "Others2" virtual-ap "SR-Test2" enet0-port-profile "SR-Bridge" ! ap-group "SR-RAP" virtual-ap "Guestz-vap_prof" virtual-ap "Contractors" virtual-ap "Others" virtual-ap "SR-AMA" virtual-ap "Others2" ! ap-group "SR-Test" virtual-ap "SR-Test" ! airgroup cppm-server aaa ! logging level debugging network process dhcpd subcat dhcp logging level debugging network subcat dhcp logging level warnings security subcat ids logging level warnings security subcat ids-ap logging 10.130.60.6 type wireless severity errors facility local7 logging 192.111.25.238 type network severity informational facility local7 logging 192.111.25.254 type network severity warnings facility local0 snmp-server enable trap snmp-server host 10.130.60.6 version 2c 2bOr~otg4o udp-port 162 snmp-server host 192.111.25.254 version 2c 2bor~otg4o udp-port 162 snmp-server trap source 0.0.0.0 snmp-server trap disable wlsxAdhocNetwork snmp-server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp-server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp-server trap disable wlsxAdhocUsingValidSSID snmp-server trap disable wlsxAuthMaxAclEntries snmp-server trap disable wlsxAuthMaxBWContracts snmp-server trap disable wlsxAuthMaxUserEntries snmp-server trap disable wlsxAuthServerIsUp snmp-server trap disable wlsxAuthServerReqTimedOut snmp-server trap disable wlsxAuthServerTimedOut snmp-server trap disable wlsxChannelChanged snmp-server trap disable wlsxCoverageHoleDetected snmp-server trap disable wlsxDBCommunicationFailure snmp-server trap disable wlsxDisconnectStationAttack snmp-server trap disable wlsxESIServerDown snmp-server trap disable wlsxESIServerUp snmp-server trap disable wlsxFanFailure snmp-server trap disable wlsxFanTrayInserted snmp-server trap disable wlsxFanTrayRemoved snmp-server trap disable wlsxGBICInserted snmp-server trap disable wlsxIpSpoofingDetected snmp-server trap disable wlsxLCInserted snmp-server trap disable wlsxLCRemoved snmp-server trap disable wlsxLicenseExpiry snmp-server trap disable wlsxLowMemory snmp-server trap disable wlsxLowOnFlashSpace snmp-server trap disable wlsxOutOfRangeTemperature snmp-server trap disable wlsxOutOfRangeVoltage snmp-server trap disable wlsxPowerSupplyFailure snmp-server trap disable wlsxPowerSupplyMissing snmp-server trap disable wlsxProcessDied snmp-server trap disable wlsxProcessExceedsMemoryLimits snmp-server trap disable wlsxSCInserted snmp-server trap disable wlsxSignatureMatch snmp-server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp-server trap disable wlsxStationAddedToBlackList snmp-server trap disable wlsxStationRemovedFromBlackList snmp-server trap disable wlsxSwitchIPChanged snmp-server trap disable wlsxSwitchRoleChange snmp-server trap disable wlsxUserAuthenticationFailed snmp-server trap disable wlsxUserEntryAuthenticated snmp-server trap disable wlsxUserEntryChanged snmp-server trap disable wlsxUserEntryCreated snmp-server trap disable wlsxUserEntryDeAuthenticated snmp-server trap disable wlsxUserEntryDeleted snmp-server trap disable wlsxVrrpStateChange firewall-visibility process monitor log ip probe default mode Ping frequency 10 retries 3 burst-size 5 ! ip probe health-check mode Ping frequency 10 retries 3 burst-size 5 ! end (sr-ls-awmsctrl) # exit (sr-ls-awmsctrl) >exitConnection closed by foreign host.