INTEROPERABILITY REPORT Ascom i62 Cisco 3650/3850/5760 · 802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS). Example of how to configure the system for .1X authentication

Interoperability Report - Ascom i62 – IOS XE, AP 1140/1250/1260/1600/2600/2700/3500/3600/3700. 1 2016-05-19

INTEROPERABILITY REPORT Ascom i62 Cisco 3650/3850/5760 AP1140/1250/1260/1600/1700/2600/2700/3500/3600/3700 Cisco IOS XE version 03.07.03

Ascom i62 and OEM derivatives version 5.5.0

Ascom, Gothenburg

May 2016

[ ]


TABLE OF CONTENT: INTRODUCTION ........................................................................................................................... 3

About Ascom ............................................................................................................................ 3 About Cisco .............................................................................................................................. 3

SITE INFORMATION .................................................................................................................... 4 SUMMARY AND TEST RESULTS ................................................................................................ 5

Known issues ............................................................................................................................ 6 Compatibility information .......................................................................................................... 6 General conclusion ................................................................................................................... 6

APPENDIX A: TEST CONFIGURATIONS .................................................................................... 7 Cisco Catalyst 3850 version 03.07.03 ...................................................................................... 7

Security settings (PSK) ......................................................................................................... 8 802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS). ................................. 9 WLAN Settings (QoS, DTIM, Session Timeout) .................................................................. 12 Radio Settings ..................................................................................................................... 13

Ascom i62 ............................................................................................................................... 17 Innovaphone IP6000 (IP PBX) ................................................................................................ 21

APPENDIX B: DETAILED TEST RECORDS .............................................................................. 22


INTRODUCTION This document describes necessary steps and guidelines to optimally configure the Cisco IOS XE platform with Ascom i62 VoWiFi handsets.

The guide should be used in conjunction with both Cisco and Ascoms configuration guide(s).

About Ascom

Ascom Wireless Solutions (www.ascom.com/ws) is a leading provider of on-site wireless communications for key segments such as hospitals, manufacturing industries, retail and hotels. More than 75,000 systems are installed at major companies all over the world. The company offers a broad range of voice and professional messaging solutions, creating value for customers by supporting and optimizing their Mission-Critical processes. The solutions are based on VoWiFi, IP-DECT, DECT, Nurse Call and paging technologies, smartly integrated into existing enterprise systems. The company has subsidiaries in 10 countries and 1,200 employees worldwide. Founded in the 1950s and based in Göteborg, Sweden, Ascom Wireless Solutions is part of the Ascom Group, listed on the Swiss Stock Exchange.

About Cisco Cisco (NASDAQ: CSCO) is the worldwide leader in IT that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. For ongoing news, please go to http://thenetwork.cisco.com.


SITE INFORMATION

Test Site: Ascom US 598 Airport Blvd, Suite 300 Morrisville, NC, US-27560 USA Participants: Karl-Magnus Olsson, Ascom HQ, Gothenburg Sweden TEST TOPOLOGY


SUMMARY AND TEST RESULTS Please refer to Appendix B for detailed results. WLAN Controller Features

High Level Functionality Result Association, Open with No Encryption OK Association, WPA2-PSK, AES Encryption OK Association, PEAP-MSCHAPv2 Auth., AES Encryption OK Association with EAP-FAST authentication OK Association, EAP-TLS OK Association, Multiple ESSIDs OK Beacon Interval and DTIM Period OK PMKSA Caching OK* WPA2-opportunistic/proactive Key Caching OK* WMM Prioritization OK Active Mode (load test) OK 802.11 Power-save mode OK 802.11e U-APSD OK 802.11e U-APSD (load test) OK *) Enabled by default Roaming

High Level Functionality Result Roaming, Open with No Encryption OK (typical roaming time 25ms) * Roaming, WPA2-PSK, AES Encryption OK (Typical roaming time 56ms)* Roaming, PEAP-MSCHAPv2 Auth, AES Encryption OK (Typical roaming time 65ms)* /**Roaming, EAP-FAST, CCKM OK (Typical roaming time 38ms)* *) Average roaming times are measured using 802.11a/n. Refer to Appendix B for detailed test results * *) Measured times is with opportunistic/proactive Key Caching enabled (default enabled)


Known issues

- Important. It is essential to follow the “General guidelines when deploying Ascom i62 handsets in 802.11a/n/ac environments” on page 16 and not exceed 8 enabled channels in the system. Not doing so might cause the Ascom i62 to randomly lose connection to the network for a few seconds (“no network” including audible signal)

For additional information regarding known issues, please contact [email protected] or [email protected]

Compatibility information Supported access points with Cisco IOS XE 03.07.03: AP1140, AP1250, AP1260 AP1600, AP1700, AP2600, AP2700, AP3500, AP3600, AP3700 Supported controller platforms with Cisco IOS XE 03.07.03: Cisco Catalyst integrated switch 3650 and 3850 Cisco Wireless LAN Controller 5760

General conclusion Overall the outcome of interoperability verification, including association, authentication and roaming produced very good results.


APPENDIX A: TEST CONFIGURATIONS

Cisco Catalyst 3850 version 03.07.03 In the following chapter you will find screenshots and explanations of basic settings in order to get a Cisco IOS XE based WLAN system to operate with an Ascom i62.

System overview.


Security settings (PSK) Example of how to configure the system for PSK (WPA2-AES)

Security profile WPA2-PSK, AES encryption

- Select PSK and enter a key (Here in ASCII format) 3850(config-wlan)# security wpa wpa2 3850(config-wlan)# security wpa wpa2 ciphers aes 3850(config-wlan)#security wpa akm psk set-key ascii 0 SecretKey


802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS). Example of how to configure the system for .1X authentication

Configuration of authentication using external Radius sever, 802.1X (Step 1). In this example is WPA2-AES/CCMP used. Note. To use CCKM, replace 802.1X with CCKM in the drop down list. The “security mode” in the i62 has to be set to “Advanced” and CCKM has to be selected as “Authentication Key Management” instead of the default 802.11X.


Example of authentication configuration using external RADIUS sever (Step 2). Select the server Group to use. The server is configured under tab Security/RADIUS. See configuration of server in next step.

Configuration of authentication using external RADIUS sever (Step 3). The IP address and the secret must correspond to the IP and the credential used by the Radius server. All test involving dot1X security were using Cisco ACS version 5.5.

Create a RADIUS server group. Make sure your RADIUS server from step 3 is selected as an Assigned Server.


Create RADIUS server (Intop_ACS) 3850(config)#aaa group server radius Intop_ACS 3850(config-radius-server)#address ipv4 192.168.0.31 auth-port 1812 acct-port 1813 3850(config-radius-server)#key YourKey Create RADIUS server Group (Intop) and assign your Radius Server (Intop_ACS) 3850(config)#aaa group server radius Intop 3850(config-sg-radius)#server name Intop_ACS Enable dot1X 3850(config)#dot1x system-auth-control Configure WLAN 3850(config-wlan)#security wpa wpa2 ciphers aes 3850(config-wlan)#security dot1x authentication-list Intop 3850(config-wlan)#security wpa akm dot1x To use CCKM, replace 802.1X with CCKM in the drop down list (step 1). The “security mode” in the i62 has to be set to “Advanced” and CCKM has to be selected as “Authentication Key Management” instead of the default 802.11X. 3850(config-wlan)#security wpa akm CCKM


WLAN Settings (QoS, DTIM, Session Timeout)

Disable Coverage Hole Detection. Disable Session Timeout. Enable Aironet IE. Configure DTIM 5. DTIM value 5 values are recommended in order to allow maximum battery conservation without impacting the quality. Using a lower DTIM value is possible but will reduce the standby time slightly. 3850(config-wlan)#dtim dot11 24ghz 5 3850(config-wlan)#dtim dot11 5ghz 5 Make sure session timeout and Coverage Hole Detection is disabled 3850(config-wlan)#no session-timeout 3850(config-wlan)#no chd Recommended WMM and QoS settings 3850(config-wlan)#wmm require 3850(config-wlan)#service-policy input platinum-up 3850(config-wlan)#service-policy output platinum


Radio Settings

Ascom recommended settings for 802.11b/g/n are to only use channel 1, 6 and 11. For 802.11a/n/ac use channels according to the infrastructure manufacturer and country regulations. Note that channel and power level was set manually for test purpose. 3850#ap name dot11 { 24ghz | 5ghz } 3850#ap name dot11 { 24ghz | 5ghz } txpower { auto | } General guidelines when deploying Ascom i62 handsets in 802.11a/n/ac environments:

1. Enabling more than 8 channels will degrade roaming performance. Ascom recommends against going above this limit.

2. Using 40 MHz channels (or “channel-bonding”) will reduce the number of non-DFS* channels to two in ETSI regions (Europe). In FCC regions (North America), 40MHz is a more viable option because of the availability of additional non-DFS channels. The handset can co-exist with 40MHz stations in the same ESS.

3. Ascom do support and can coexist in 80MHz channel bonding environments. The recommendations is however to avoid 80MHz channel bonding as it severely reduces the number of available non overlapping channels.

4. Make sure that all non-DFS channel are taken before resorting to DFS channels. The handset can cope in mixed non-DFS and DFS environments; however, due to “unpredictability” introduced by radar detection protocols, voice quality may become distorted and roaming delayed. Hence Ascom recommends if possible avoiding the use of DFS channels in VoWIFI deployments.


The default data rate set will work just fine, however Ascom recommends disabling the lowest speeds and have 12Mbits as lowest supported speed. To further optimize performance it is recommended to disallow 802.11b clients to associate by setting 12Mbps rate to mandatory in 802.11g/n configuration. 3850(config)#ap dot11 24ghz rate RATE_1M disable 3850(config)#ap dot11 24ghz rate RATE_2M disable 3850(config)#ap dot11 24ghz rate RATE_5_5M disable 3850(config)#ap dot11 24ghz rate RATE_6M disable 3850(config)#ap dot11 24ghz rate RATE_9M disable 3850(config)#ap dot11 24ghz rate RATE_11M disable 3850(config)#ap dot11 24ghz rate RATE_12M mandatory

Ascom does support both usage of 40MHZ and “11ac Mode” including 80MHz channels.


Ascom recommends “EDCA Profile”: Voice Optimized 3850(config)#apdot11 24ghz edca-parameters optimized-voice 3850(config)#apdot11 5ghz edca-parameters optimized-voice Note. Using EDCA Profile “WMM” is possible but “Voice Optimized” is to prefer when voice clients are present in the system.


Cisco Configuration file See attached file (Running config.log) for complete Cisco WLC configuration.


Ascom i62

Network settings for WPA2-PSK Note. Make sure that the enabled channels in the i62 handset match the channel plan used in the system. Note. FCC is no longer allowing 802.11d to determine regulatory domain. Devices deployed in USA must set Regulatory domain to “USA”.


Network settings for .1X authentication (PEAP-MSCHAPv2) Note. Make sure that the enabled channels in the i62 handset match the channel plan used in the system. Note. FCC is no longer allowing 802.11d to determine regulatory domain. Devices deployed in USA must set Regulatory domain to “USA”.


Network settings for EAP-FAST utilizing CCKM as key management. Note. Make sure that the enabled channels in the i62 handset match the channel plan used in the system. Note. FCC is no longer allowing 802.11d to determine regulatory domain. Devices deployed in USA must set Regulatory domain to “USA”.


802.1X Authentication requires a CA certificate to be uploaded to the phone by “right clicking” - > Edit certificates. EAP-TLS will require both a CA and a client certificate. Note that both a CA and a client certificate are needed for TLS. Otherwise only a CA certificate is needed. Server certificate validation can be overridden in version 4.1.12 and above per handset setting.


Innovaphone IP6000 (IP PBX) The Innovaphone IP6000 was configured with a static IP address of 192.168.0.50. Signaling is less relevant here since testing homes in on interoperability in relation to the WLAN infrastructure and not features of the IP PBX. During the tests the IP6000 also was used as DHCP server. IP6000 configuration: See attached file (complete-IP6000-08-03-a6.txt) for IP6000 configuration


APPENDIX B: DETAILED TEST RECORDS VoWIFI Pass 22 Fail 0 Comments 0 Untested 1 Total 23 See attached document (WLANinteroperabilityTestReport_X.xls) for detailed test results. Please refer to the test specification for WLAN systems on Ascom’s interoperability web page for explicit information regarding each test case. See URL (requires login): https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability


Document History Rev Date Author Description P1 2016-02-08 SEKMO IOS XE v 03.07.03 first draft R1 2016-05-18 SEKMO Revision R1

WLAN TR

WLAN Interoperability Test ReportWLAN configuration:

Beacon Interval: 100ms

Test object - Handset:DTIM Interval: 5

Ascom i62 5.5.0802.11d Regulatory Domain: World

Test object - WLAN system:WMM Enabled (Auto/WMM)

Cisco 3850 version 03.07.03No Auto-tune

AP 1700, 3600, 3500 and 3700AP3700AP1700AP3600AP3500Single Voice VLAN

2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz

Test CaseDescriptionVerdictVerdictVerdictVerdictVerdictVerdictVerdictVerdictComment

TEST AREA ASSOCIATION / AUTHENTICATION

#101Association with open authentication, no encryptionPASSPASSPASSPASSPASSPASSPASSPASS

#107Association with WPA2-PSK authentication, AES-CCMP encryptionPASSPASSPASSPASSPASSPASSPASSPASS

#110Association with PEAP-MSCHAPv2 auth, AES-CCMP encryptionPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS server; RootCA loaded to device; Handset autheticates twiceFAIL

#111Association with EAP-FAST authenticationPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS server;

#116Association with EAP-TLS authenticationPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS server; RootCA and clients certificate loaded to device; Handset autheticates twice

TEST AREA POWER-SAVE AND QOSPASS

#150802.11 Power-save modePASSPASSPASSPASSPASSPASSPASSPASSFAIL

#151Beacon period and DTIM intervalPASSPASSPASSPASSPASSPASSPASSPASSDTIM 1,3 5 , Beacon Period 100tuNOT TESTED

#152802.11e U-APSDPASSPASSPASSPASSPASSPASSPASSPASSSee Comment

#202WMM prioritizationPASSPASSPASSPASSPASSPASSPASSPASSiperf used to generate backgound load.

TEST AREA "PERFORMANCE"

#308Power-save mode U-APSD – WPA2-PSKPASSPASSPASSPASSPASSPASSPASSPASS14hs ok on one single radio. Note that 12 was not the limit.

#310CAC - TSPECPASSPASSPASSPASSPASSPASSPASSPASS

TEST AREA ROAMING AND HANDOVER TIMES

#401Handover with open authentication and no encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an: 25ms, bgn: 33ms (No significat difference seen in roaming times between different AP models)

#404Handover with WPA2-PSK auth and AES-CCMP encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an:56ms, bgn: 57ms (No significat difference seen in roaming times between different AP models)

#408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an: 65ms, bgn: 56ms (No significat difference seen in roaming times between different AP models)

#409Handover with EAP-FAST authentication with CCKMPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an: 38ms, bgn: 43ms (No significat difference seen in roaming times between different AP models)

#411Handover using PMKSA and opportunistic/proactive key cachingPASSPASSPASSPASSPASSPASSPASSPASS

TEST AREA BATTERY LIFETIME

#501Battery lifetime in idlePASSPASSNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED80-90hours. DTM 5. Non-DFS channels only

#504Battery lifetime in call with power save mode U-APSDPASSPASSPASSPASSPASSPASSPASSPASS12-14h

TEST AREA STABILITY

#602Duration of call – U-APSD modePASSPASSPASSPASSPASSPASSPASSPASS24h

TEST AREA 802.11n

#801Frame aggregation A-MSDUNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

#802Frame aggregation A-MPDUPASSPASSPASSPASSPASSPASSPASSPASSUplink and downlink. Except UP 5 and 6 per Cisco default setting

#80440Mhz channelsNOT TESTEDPASSNOT TESTEDPASSNOT TESTEDPASSNOT TESTEDPASSonly 20MHz channel width tested on 2.4GHz band

#805802.11n ratesPASSPASSPASSPASSPASSPASSPASSPASS

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.02.09 10:53:07 =~=~=~=~=~=~=~=~=~=~=~=

Building configuration...

Current configuration : 13017 bytes!! Last configuration change at 16:20:54 UTC Mon Feb 8 2016 by admin!version 15.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname KMO-3850!boot-start-markerboot system switch all flash:packages.confboot-end-marker!!vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family --More-- �� ! address-family ipv6 exit-address-family!logging console emergenciesenable secret 4 /LiUDKl222VXr5BVzYJsZZoMVnMDY807K69ZWa76z6M!username admin2 privilege 15 secret 5 $1$5vhz$LiMKqACk4HcURHldKNVJA1username admin privilege 15 password 0 changemeuser-name testuser creation-time 1411674251 privilege 15 password 0 testpw type network-user description testuseraaa new-model!aaa user profile testuser!aaa group server radius Intop server name Intop!aaa group server radius Intop_ACS server name Intop_ACS --More-- �� server name Intop!aaa authentication dot1x default localaaa authentication dot1x Intop group Intop_ACSaaa authentication dot1x authen_list localaaa authorization network default group radius aaa authorization credential-download author_list local aaa accounting update periodic 15aaa local authentication authen_list authorization author_list!!!!!aaa server radius dynamic-author client 192.168.0.93 server-key secret client 192.168.0.31 server-key secret auth-type any!aaa session-id commonclock timezone UTC -5 0clock summer-time UTC recurringswitch 1 provision ws-c3850-24p --More-- �� eap profile localeap description localeap method fast profile localeap method peap!eap method fast profile localeap description localeap no client-cert-required no local-cert-required local-key 0 test!!!!!!!ip dhcp snooping vlan 1ip dhcp snooping wireless bootp-broadcast enableip dhcp snooping!!qos queue-softmax-multiplier 100 --More-- �� access-session mac-move denycentral-management-version 13882345980218572806!flow monitor wireless-avc-basic record wireless avc basic!!crypto pki trustpoint TP-self-signed-2002586361 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2002586361 revocation-check none rsakeypair TP-self-signed-2002586361!!crypto pki certificate chain TP-self-signed-2002586361 certificate self-signed 01 3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32303032 35383633 3631301E 170D3135 30373033 30363233 35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30303235 38363336 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009C79 4B936B18 9A0DC468 38694D71 10EB9CE2 D1976386 F892C7EB 05322DD6 --More-- �� 9878FC34 36AA3115 3E7DC0F0 5B3471FD C7B91053 9C6ED5B3 E0771273 1B6C5B3A 8BCAB808 038C47B0 607DBBD2 6EABFF95 0F21A151 B096A111 01A0A4AF EB272698 9E640EF7 E7DD43C2 B66CABAF C4332D73 297761E9 2194DB1B C92F6F4F 6CA836EB C1D30203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603 551D1104 08300682 04333835 30301F06 03551D23 04183016 80148354 9976C0D0 95596477 2D4D191F 89C6756C 978F301D 0603551D 0E041604 14835499 76C0D095 5964772D 4D191F89 C6756C97 8F300D06 092A8648 86F70D01 01040500 03818100 792E5B74 9CD18A4E 7AD62602 D18F9C2B 0FF416E5 439B9B33 A6A92319 3FA68C55 820786A3 EA2829F1 EF9D33DC EDC6B485 07066418 D82CD0AB 2C2C469C 13D41DA5 87A4E298 61E92240 EDA38A5C 42CB47B2 9B03E98F 69135C16 933D34F6 DD31B08D BE162AC5 1BCE3C50 2C325C22 5F9C9A3F A08D6497 1AD1FD8D ECD54C8B 78AD0BB7 quitdot1x system-auth-controldiagnostic bootup level minimalservice-template webauth-global-inactive inactivity-timer 3600 service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE linksec policy must-secureservice-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE linksec policy should-secureservice-template DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlan! --More-- �� spanning-tree mode pvstspanning-tree extend system-idhw-switch switch 1 logging onboard message level 3!redundancy mode sso!!!!class-map match-any AutoQos-4.0-RT1-Class match dscp ef match dscp cs6 class-map match-any AutoQos-4.0-RT2-Class match dscp cs4 match dscp cs3 match dscp af41 class-map match-any AutoQos-4.0-wlan-Voip-Signal-Class match dscp cs3 match access-group name AutoQos-4.0-wlan-Acl-Signalingclass-map match-any AutoQos-4.0-wlan-Voip-Data-Class match dscp ef class-map match-any AutoQos-4.0-wlan-Multimedia-Conf-Class --More-- �� match access-group name AutoQos-4.0-wlan-Acl-MultiEnhanced-Confclass-map match-any AutoQos-4.0-wlan-Bulk-Data-Class match access-group name AutoQos-4.0-wlan-Acl-Bulk-Dataclass-map match-any AutoQos-4.0-wlan-Scavanger-Class match access-group name AutoQos-4.0-wlan-Acl-Scavangerclass-map match-any AutoQos-4.0-wlan-Transaction-Class match access-group name AutoQos-4.0-wlan-Acl-Transactional-Dataclass-map match-any non-client-nrt-class!!policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10policy-map AutoQos-4.0-wlan-ET-Client-Input-Policy class AutoQos-4.0-wlan-Voip-Data-Class set dscp ef class AutoQos-4.0-wlan-Voip-Signal-Class set dscp cs3 class AutoQos-4.0-wlan-Multimedia-Conf-Class set dscp af41 class AutoQos-4.0-wlan-Transaction-Class set dscp af21 class AutoQos-4.0-wlan-Bulk-Data-Class --More-- �� set dscp af11 class AutoQos-4.0-wlan-Scavanger-Class set dscp cs1 class class-default set dscp defaultpolicy-map AutoQos-4.0-wlan-GT-SSID-Output-Policy class class-default shape average percent 100 queue-buffers ratio 0 set dscp defaultpolicy-map AutoQos-4.0-wlan-GT-SSID-Input-Policy class class-default set dscp defaultpolicy-map AutoQos-4.0-wlan-ET-SSID-Child-Policy class AutoQos-4.0-RT1-Class police cir percent 10 priority level 1 class AutoQos-4.0-RT2-Class police cir percent 20 priority level 2 class class-defaultpolicy-map AutoQos-4.0-wlan-ET-SSID-Output-Policy class class-default --More-- �� shape average percent 100 queue-buffers ratio 0 service-policy AutoQos-4.0-wlan-ET-SSID-Child-Policy!! !!!!!!!!!!!!interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto!interface GigabitEthernet1/0/1 --More-- �� description port1 switchport mode access switchport voice vlan 1 spanning-tree portfast ip dhcp snooping trust!interface GigabitEthernet1/0/2 switchport mode access switchport voice vlan 1 spanning-tree portfast ip dhcp snooping trust!interface GigabitEthernet1/0/3 switchport mode access switchport voice vlan 1 spanning-tree portfast!interface GigabitEthernet1/0/4 switchport mode access switchport voice vlan 1 spanning-tree portfast!interface GigabitEthernet1/0/5 --More-- �� !interface GigabitEthernet1/0/6!interface GigabitEthernet1/0/7!interface GigabitEthernet1/0/8 switchport mode access switchport voice vlan 1 ip dhcp snooping trust!interface GigabitEthernet1/0/9!interface GigabitEthernet1/0/10!interface GigabitEthernet1/0/11!interface GigabitEthernet1/0/12 switchport trunk allowed vlan 1 switchport mode trunk ip dhcp snooping trust!interface GigabitEthernet1/0/13! --More-- �� interface GigabitEthernet1/0/14!interface GigabitEthernet1/0/15!interface GigabitEthernet1/0/16!interface GigabitEthernet1/0/17!interface GigabitEthernet1/0/18!interface GigabitEthernet1/0/19 switchport access vlan 7 switchport mode access spanning-tree portfast!interface GigabitEthernet1/0/20 switchport access vlan 7 switchport mode access spanning-tree portfast!interface GigabitEthernet1/0/21 switchport access vlan 7 switchport mode access --More-- �� spanning-tree portfast!interface GigabitEthernet1/0/22 switchport access vlan 7 switchport mode access spanning-tree portfast!interface GigabitEthernet1/0/23 switchport access vlan 7 switchport mode access spanning-tree portfast!interface GigabitEthernet1/0/24 switchport access vlan 7 switchport mode access!interface GigabitEthernet1/1/1!interface GigabitEthernet1/1/2!interface GigabitEthernet1/1/3!interface GigabitEthernet1/1/4 --More-- �� !interface TenGigabitEthernet1/1/1!interface TenGigabitEthernet1/1/2!interface TenGigabitEthernet1/1/3!interface TenGigabitEthernet1/1/4!interface Vlan1 description vlan1 ip dhcp relay information trusted ip address 192.168.0.30 255.255.255.0 ip helper-address 192.168.0.10 ip helper-address 192.168.0.11!ip default-gateway 192.168.0.50ip forward-protocol ndip http serverip http authentication localip http secure-server!! --More-- �� ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any any eq 143 permit tcp any any eq 993 permit tcp any any eq 995 permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any any eq ftp-data permit tcp any any eq smtp permit tcp any any eq pop3ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf permit udp any any range 16384 32767 permit tcp any any range 50000 59999ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit tcp any any range 2300 2400 permit udp any any range 2300 2400 permit tcp any any range 6881 6999 permit tcp any any range 28800 29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit tcp any any eq 3689 permit udp any any eq 3689 --More-- �� permit tcp any any eq 11999ip access-list extended AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002 permit tcp any any range 5060 5061 permit udp any any range 5060 5061ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526 permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp any any eq 1630 permit udp any any eq 1630 permit tcp any any eq 1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit tcp any any eq 5985 permit tcp any any eq 8080!!! --More-- �� !radius server Intop address ipv4 192.168.0.2 auth-port 1812 acct-port 1646 key secret!radius server Intop_ACS address ipv4 192.168.0.31 auth-port 1812 acct-port 1813 key secret!!!!line con 0 exec-timeout 0 0 stopbits 1line aux 0 stopbits 1line vty 0 4 password changeme length 0line vty 5 15 password changeme! --More-- �� wsma agent exec profile httplistener profile httpslistener!wsma agent config profile httplistener profile httpslistener!wsma agent filesys profile httplistener profile httpslistener!wsma agent notify profile httplistener profile httpslistener!!wsma profile listener httplistener transport http!wsma profile listener httpslistener transport https! --More-- �� wireless mobility controllerwireless management interface Vlan1wlan CiscoIntop2 1 CiscoIntop2 no chd dtim dot11 24ghz 5 dtim dot11 5ghz 5 no exclusionlist ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output no security wpa akm dot1x security wpa akm psk set-key ascii 0 comptest security dot1x authentication-list Intop service-policy input platinum-up service-policy output platinum wmm require no shutdownwlan CiscoIntop2-dot1x 2 CiscoIntop2-dot1x dtim dot11 24ghz 5 dtim dot11 5ghz 5 no exclusionlist security dot1x authentication-list Intop service-policy input platinum-up service-policy output platinum --More-- �� session-timeout 60000 wmm require no shutdownwlan CiscoIntop2-eapfastcckm 3 CiscoIntop2-eapfastcckm dtim dot11 24ghz 5 dtim dot11 5ghz 5 no exclusionlist security wpa akm cckm no security wpa akm dot1x security dot1x authentication-list Intop service-policy input platinum-up service-policy output platinum session-timeout 60000 wmm require no shutdownwlan CiscoIntop2OPEN 4 CiscoIntop2OPEN no security wpa no security wpa akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes service-policy input platinum-up service-policy output platinum session-timeout 1800 --More-- �� wmm require no shutdownap country US,SEno ap dot11 24ghz cac voice load-basedap dot11 24ghz rate RATE_1M disableap dot11 24ghz rate RATE_2M disableap dot11 24ghz rate RATE_5_5M disableap dot11 24ghz rate RATE_6M disableap dot11 24ghz rate RATE_9M disableap dot11 24ghz rate RATE_11M disableap dot11 24ghz rate RATE_12M mandatoryap dot11 24ghz rate RATE_18M supportedap dot11 24ghz rate RATE_24M supportedap dot11 24ghz rate RATE_36M supportedap dot11 24ghz rate RATE_48M supportedap dot11 24ghz rate RATE_54M supportedap dot11 5ghz cac multimedia max-bandwidth 8ap dot11 5ghz media-stream video-redirectap dot11 5ghz cac voice max-bandwidth 13no ap dot11 5ghz cac voice load-basedap dot11 5ghz rate RATE_6M disableap dot11 5ghz rate RATE_9M disableap dot11 5ghz rate RATE_12M mandatory --More-- �� ap dot11 5ghz rate RATE_18M supportedap dot11 5ghz rate RATE_24M mandatoryap dot11 5ghz rate RATE_36M supportedap dot11 5ghz rate RATE_48M supportedap dot11 5ghz rate RATE_54M supportedap group default-groupend

KMO-3850#

INTEROPERABILITY REPORT Ascom i62 Cisco 3650/3850/5760 · 802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS). Example of how to configure the system for .1X authentication

Documents