Remove port membership from VLAN 1 Create a VLAN *************** vlan 51 description B1000 Closet vlan 201 description Management exit Configure a Switching Profile with Access VLAN 51 ************************************************** interface-profile switching-profile Access access-vlan 51 Configure an Interface Group ********************************** (TYNPSWB1000) (config) # interface-group gigabitethernet Access (TYNPSWB1000) (gigabitethernet "Access") #apply-to 0/0/0-0/0/23,1/0/0-1/0/47 Configure a Switching Profile with Access ****************************************** (TYNPSWB1000) (config) # interface-profile switching-profile Access (TYNPSWB1000) (switching profile "Access") #access-vlan 51 (TYNPSWB1000) (switching profile "Access") #native-vlan 51 Apply the switching Profile to an Interface ******************************************** (TYNPSWB1000) (config) #interface-group gigabitethernet Access (TYNPSWB1000) (gigabitethernet "Access") #switching-profile Access (TYNPSWB1000) (gigabitethernet "Access") #exit Configure a Switching Profile with Trunking *********************************************** (TYNPSWB1000) (config) #interface-profile switching-profile Upstream (TYNPSWB1000) (switching profile "Upstream") #switchport-mode trunk (TYNPSWB1000) (switching profile "Upstream") #trunk allowed vlan add 51,201 (TYNPSWB1000) (switching profile "Upstream") #native-vlan 201 (TYNPSWB1000) (switching profile "Upstream") #exit Configure Static Port-Channel ****************************** (TYNPSWB1000) (config) #interface port-channel 1 (TYNPSWB1000) (port-channel "1") #port-channel-members gigabitethernet0/1/0,gigabitethernet1/1/0 (TYNPSWB1000) (port-channel "1") #switching-profile Upstream (TYNPSWB1000) (config) #interface port-channel 0 (TYNPSWB1000) (port-channel "0") #port-channel-members gigabitethernet0/1/1,gigabitethernet1/1/1 (TYNPSWB1000) (port-channel "0") #switching-profile Upstream (TYNPSWB1000) (port-channel "0") #exit Configure Management VLAN Interface ******************************* interface vlan 201 ip address 10.2.1.100 255.255.255.0 ip-profile default-gateway 10.2.1.1 Configure User Role and ACL Policies ************************************* (TYNPSWB1000) (config) #ip access-list stateless Student (TYNPSWB1000) (config-stateless-Student)#any any svc-dhcp permit (TYNPSWB1000) (config-stateless-Student)#any any svc-dns permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.91 tcp 80 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.91 tcp 443 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.28 tcp 80 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.28 tcp 443 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.135 tcp 80 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.135 tcp 443 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.151 tcp 80 permit (TYNPSWB1000) (config-stateless-Student)#any host 10.1.0.151 tcp 443 permit (TYNPSWB1000) (config-stateless-Student)#exit *any network 10.1.0.0 255.255.255.0 svc-dns permit *any network 10.1.0.0 255.255.255.0 svc-dhcp permit (TYNPSWB1000) (config) #user-role Student (TYNPSWB1000) (config-role) #access-list stateless Student (TYNPSWB1000) (config-role) #exit (TYNPSWB1000) (config) #ip access-list stateless Staff (TYNPSWB1000) (config-stateless-Staff)#any any any permit (TYNPSWB1000) (config-stateless-Staff)#exit (TYNPSWB1000) (config) #user-role Staff (TYNPSWB1000) (config-role) #access-list stateless allowall-stateless (TYNPSWB1000) (config-role) #exit Configuration AAA Authentication Server **************************************** (TYNPSWB1000) (config) #aaa authentication-server radius RADIUS (TYNPSWB1000) (RADIUS Server "RADIUS") #host 10.1.0.161 (TYNPSWB1000) (RADIUS Server "RADIUS") #key TKY!4rad!us (TYNPSWB1000) (RADIUS Server "RADIUS") #enable (TYNPSWB1000) (RADIUS Server "RADIUS") #exit (TYNPSWB1000) (config) # Configuration of Server Group ****************************** (TYNPSWB1000) (config) #aaa server-group AuthServer (TYNPSWB1000) (Server Group "AuthServer") #auth-server RADIUS (TYNPSWB1000) (Server Group "AuthServer") #set role condition Class equals Faculty set-value Staff (TYNPSWB1000) (Server Group "AuthServer") #set role condition Class equals Student set-value Student Creating 802.1X Authentication and AAA Profile *************************************** (TYNPSWB1000) (config) #aaa authentication dot1x Student (TYNPSWB1000) (802.1X Authentication Profile "Student") #exit (TYNPSWB1000) (config) #aaa authentication dot1x Staff (TYNPSWB1000) (802.1X Authentication Profile "Staff") #exit (TYNPSWB1000) (config) #aaa profile aaa_Student (TYNPSWB1000) (AAA Profile "aaa_Student") #dot1x-default-role Student (TYNPSWB1000) (AAA Profile "aaa_Student") #authentication-dot1x Student (TYNPSWB1000) (AAA Profile "aaa_Student") #dot1x-server-group AuthServer (TYNPSWB1000) (AAA Profile "aaa_Student") #exit (TYNPSWB1000) (config) #aaa profile aaa_Staff (TYNPSWB1000) (AAA Profile "aaa_Staff") #dot1x-default-role Staff (TYNPSWB1000) (AAA Profile "aaa_Staff") #authentication-dot1x Staff (TYNPSWB1000) (AAA Profile "aaa_Staff") #dot1x-server-group AuthServer (TYNPSWB1000) (AAA Profile "aaa_Staff") #exit Create Captive Portal Profile ******************************* (TYNPSWB1000) (config) #aaa authentication captive-portal Tyndale-CP (TYNPSWB1000) (Captive Portal Authentication Profile "Tyndale-CP") #default-role guest (TYNPSWB1000) (Captive Portal Authentication Profile "Tyndale-CP") #server-group AuthServer (TYNPSWB1000) (Captive Portal Authentication Profile "Tyndale-CP") #login-page https://10.2.1.100/auth/index.html (TYNPSWB1000) (Captive Portal Authentication Profile "Tyndale-CP") #exit (TYNPSWB1000) (config) #aaa authentication captive-portal Student-CP (TYNPSWB1000) (Captive Portal Authentication Profile "Student-CP") #default-role Student (TYNPSWB1000) (Captive Portal Authentication Profile "Student-CP") #server-group AuthServer (TYNPSWB1000) (Captive Portal Authentication Profile "Student-CP") #login-page https://10.2.1.100/auth/index.html (TYNPSWB1000) (Captive Portal Authentication Profile "Student-CP") #exit (TYNPSWB1000) (config) #aaa authentication captive-portal Staff-CP (TYNPSWB1000) (Captive Portal Authentication Profile "Staff-CP") #default-role Staff (TYNPSWB1000) (Captive Portal Authentication Profile "Staff-CP") #server-group AuthServer (TYNPSWB1000) (Captive Portal Authentication Profile "Staff-CP") #login-page https://10.2.1.100/auth/index.html (TYNPSWB1000) (Captive Portal Authentication Profile "Staff-CP") #exit Attach a Captive Portal to a User Role ******************************************* (TYNPSWB1000) (config) #user-role CaptivePortal-User (TYNPSWB1000) (config-role) #captive-portal Staff-CP (TYNPSWB1000) (config-role) #captive-portal Student-CP (TYNPSWB1000) (config-role) #exit Designate the CP-User Role as the Initial role of the AAA profile CP_AAA ************************************************************************* (TYNPSWB1000) (config) # aaa profile aaa_CP (TYNPSWB1000) (AAA Profile "aaa_CP") #initial-role CaptivePortal-User (TYNPSWB1000) (AAA Profile "aaa_CP") #exit Apply the configured AAA Profile to an Interface ************************************************* (TYNPSWB1000) (config) #interface-group gigabitethernet Access (TYNPSWB1000) (gigabitethernet "Access") #aaa-profile aaa_CP (TYNPSWB1000) (gigabitethernet "Access") #no trusted port (TYNPSWB1000) (gigabitethernet "Access") #exit