! ============================================================================ ! VantagePoint Networks - Cisco Catalyst 9800 WLC Baseline Configuration ! ============================================================================ ! Template Version: 2.1 ! Platform: Cisco Catalyst 9800 Series WLC (IOS-XE 17.6+) ! Purpose: Enterprise wireless with Corp/Voice/IoT/Guest WLANs ! License: VantagePoint Networks Commercial Template ! ============================================================================ ! ! VARIABLES - Replace before deployment: ! - WLC hostname (e.g., WLC-9800-01) ! - Domain name (e.g., corp.example.com) ! - Management interface IP ! - Management subnet mask ! - Management default gateway ! - Management VLAN ID ! - Corporate SSID name (e.g., CorpSecure) ! - Corporate VLAN ID (e.g., 100) ! - Voice SSID name (e.g., VoiceWiFi) ! - Voice VLAN ID (e.g., 200) ! - IoT SSID name (e.g., IoT-Devices) ! - IoT VLAN ID (e.g., 300) ! - IoT WPA2-PSK passphrase ! - Guest SSID name (e.g., Guest-WiFi) ! - Guest VLAN ID (e.g., 400) ! - Primary RADIUS server IP ! - Secondary RADIUS server IP ! - RADIUS shared secret ! - RADIUS CoA shared secret ! - Primary NTP server ! - Secondary NTP server ! - Syslog server IP ! - SNMP management station IP ! - SNMPv3 username ! - SNMPv3 auth passphrase ! - SNMPv3 priv passphrase ! - Country code (e.g., GB, US) ! - Enable secret ! - Local admin password ! - Guest captive portal redirect URL ! - Virtual IP for captive portal (e.g., 192.0.2.1) ! - AP join profile name ! - Site tag name ! - RF tag name ! - Policy tag name ! ============================================================================ ! --- System Identity --- hostname ip domain name enable secret 9 ! --- Banner --- banner motd ^ ========================================================================== VantagePoint Networks - Wireless LAN Controller AUTHORIZED ACCESS ONLY This system is the property of VantagePoint Networks. Unauthorized access is prohibited. All activity is monitored and logged. Disconnect immediately if you are not an authorized user. ========================================================================== ^ ! --- Clock and NTP --- clock timezone UTC 0 ntp server prefer ntp server ! --- Local User --- username admin privilege 15 secret 9 aaa new-model ! ============================================================================ ! AAA CONFIGURATION ! ============================================================================ aaa group server radius RADIUS-GROUP server name RADIUS-PRI server name RADIUS-SEC deadtime 15 ip radius source-interface Vlan radius server RADIUS-PRI address ipv4 auth-port 1812 acct-port 1813 key automate-tester username probe-user idle-time 5 radius server RADIUS-SEC address ipv4 auth-port 1812 acct-port 1813 key automate-tester username probe-user idle-time 5 aaa authentication dot1x default group RADIUS-GROUP aaa authentication login default local aaa authentication login WEBAUTH-LIST group RADIUS-GROUP local aaa authorization network default group RADIUS-GROUP aaa authorization network NAMED-ACL-AUTH group RADIUS-GROUP aaa accounting dot1x default start-stop group RADIUS-GROUP aaa accounting network default start-stop group RADIUS-GROUP aaa accounting identity default start-stop group RADIUS-GROUP aaa server radius dynamic-author client server-key client server-key auth-type any ! ============================================================================ ! VLAN CONFIGURATION ! ============================================================================ vlan name WLC-MANAGEMENT vlan name WIRELESS-CORPORATE vlan name WIRELESS-VOICE vlan name WIRELESS-IOT vlan name WIRELESS-GUEST ! ============================================================================ ! SVI INTERFACES ! ============================================================================ interface Vlan ip address no shutdown ip default-gateway ! ============================================================================ ! WIRELESS COUNTRY AND REGULATORY ! ============================================================================ ap dot11 24ghz shutdown ap dot11 5ghz shutdown wireless country no ap dot11 24ghz shutdown no ap dot11 5ghz shutdown ! ============================================================================ ! WLAN 1 - CORPORATE (802.1X / WPA3-Enterprise) ! ============================================================================ wlan 1 security wpa wpa3 security wpa akm dot1x security wpa pmf mandatory security dot1x authentication-list default no security wpa akm psk peer-blocking drop session-timeout 28800 no shutdown ! ============================================================================ ! WLAN 2 - VOICE (802.1X / WPA3-Enterprise with QoS) ! ============================================================================ wlan 2 security wpa wpa3 security wpa akm dot1x security wpa pmf mandatory security dot1x authentication-list default no security wpa akm psk wmm require call-snoop session-timeout 28800 no shutdown ! ============================================================================ ! WLAN 3 - IoT (WPA2-PSK) ! ============================================================================ wlan 3 security wpa psk set-key ascii 0 security wpa akm psk no security wpa akm dot1x security wpa wpa2 peer-blocking drop session-timeout 86400 no shutdown ! ============================================================================ ! WLAN 4 - GUEST (Captive Portal) ! ============================================================================ wlan 4 no security wpa no security wpa akm dot1x no security wpa akm psk security web-auth security web-auth authentication-list WEBAUTH-LIST security web-auth parameter-map global peer-blocking drop session-timeout 3600 exclusionlist timeout 60 no shutdown ! --- Web Auth Parameter Map --- parameter-map type webauth global type webauth redirect for-login redirect portal ipv4 max-http-conns 100 timeout init-state sec 120 ! ============================================================================ ! POLICY PROFILES ! ============================================================================ wireless profile policy POLICY-CORP description Corporate wireless policy vlan aaa-override nac ipv4 dhcp required session-timeout 28800 idle-timeout 1800 exclusionlist timeout 180 no shutdown wireless profile policy POLICY-VOICE description Voice wireless policy vlan aaa-override nac ipv4 dhcp required session-timeout 28800 idle-timeout 7200 no shutdown wireless profile policy POLICY-IOT description IoT wireless policy vlan ipv4 dhcp required session-timeout 86400 idle-timeout 3600 no shutdown wireless profile policy POLICY-GUEST description Guest wireless policy vlan ipv4 dhcp required session-timeout 3600 idle-timeout 600 exclusionlist timeout 60 no shutdown ! ============================================================================ ! AP JOIN PROFILE ! ============================================================================ ap profile description VantagePoint Networks AP Join Profile hyperlocation ble-beacon 0 mgmtuser username admin password 0 secret 0 ssh syslog host stats-timer 180 ! ============================================================================ ! RF PROFILES ! ============================================================================ ap dot11 24ghz rf-profile RF-24GHZ-CUSTOM description VantagePoint 2.4GHz RF Profile coverage data rssi threshold -80 coverage voice rssi threshold -80 coverage level 2 coverage exception 25 rate RATE_11M mandatory rate RATE_12M supported rate RATE_18M supported rate RATE_24M supported rate RATE_36M supported rate RATE_48M supported rate RATE_54M supported rate RATE_1M disable rate RATE_2M disable rate RATE_5_5M disable rate RATE_6M supported rate RATE_9M supported tx-power-min 7 tx-power-max 14 tx-power-v2 threshold -65 channel width 20 channel add 1 6 11 no shutdown ap dot11 5ghz rf-profile RF-5GHZ-CUSTOM description VantagePoint 5GHz RF Profile coverage data rssi threshold -80 coverage voice rssi threshold -80 coverage level 2 coverage exception 25 rate RATE_6M disable rate RATE_9M disable rate RATE_12M mandatory rate RATE_18M supported rate RATE_24M supported rate RATE_36M supported rate RATE_48M supported rate RATE_54M supported tx-power-min 7 tx-power-max 17 tx-power-v2 threshold -65 channel width 40 channel add 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 no shutdown ! --- RF Tag --- wireless tag rf description VantagePoint RF Tag 24ghz-rf-policy RF-24GHZ-CUSTOM 5ghz-rf-policy RF-5GHZ-CUSTOM ! ============================================================================ ! TAGS AND MAPPING ! ============================================================================ ! --- Policy Tag --- wireless tag policy description VantagePoint Policy Tag wlan policy POLICY-CORP wlan policy POLICY-VOICE wlan policy POLICY-IOT wlan policy POLICY-GUEST ! --- Site Tag --- wireless tag site description VantagePoint Site Tag ap-profile no local-site ! ============================================================================ ! FLEXCONNECT CONFIGURATION ! ============================================================================ wireless profile flex FLEX-PROFILE description VantagePoint FlexConnect Profile arp-caching native-vlan-id vlan-name CORP-VLAN vlan-id vlan-name VOICE-VLAN vlan-id vlan-name IOT-VLAN vlan-id vlan-name GUEST-VLAN vlan-id wireless tag site -FLEX description VantagePoint FlexConnect Site Tag ap-profile flex-profile FLEX-PROFILE no local-site ! ============================================================================ ! QoS POLICIES (Platinum/Gold/Silver/Bronze) ! ============================================================================ ! --- Platinum (Voice) --- policy-map PLATINUM-QOS class VOICE-TRAFFIC set dscp ef police cir 256000 conform-action transmit exceed-action drop class VOICE-SIGNALING set dscp cs3 police cir 128000 conform-action transmit exceed-action drop ! --- Gold (Video / Corporate) --- policy-map GOLD-QOS class VIDEO-TRAFFIC set dscp af41 police cir 5000000 conform-action transmit exceed-action set-dscp-transmit af43 class INTERACTIVE-VIDEO set dscp af42 police cir 2000000 conform-action transmit exceed-action set-dscp-transmit af43 ! --- Silver (Best Effort - Standard Data) --- policy-map SILVER-QOS class DATA-TRAFFIC set dscp default police cir 10000000 conform-action transmit exceed-action drop class BULK-DATA set dscp af11 ! --- Bronze (Guest / IoT) --- policy-map BRONZE-QOS class GUEST-DATA set dscp cs1 police cir 2000000 conform-action transmit exceed-action drop class SCAVENGER set dscp cs1 police cir 1000000 conform-action transmit exceed-action drop ! --- Class Maps --- class-map match-any VOICE-TRAFFIC match dscp ef class-map match-any VOICE-SIGNALING match dscp cs3 class-map match-any VIDEO-TRAFFIC match dscp af41 class-map match-any INTERACTIVE-VIDEO match dscp af42 class-map match-any DATA-TRAFFIC match dscp default class-map match-any BULK-DATA match dscp af11 class-map match-any GUEST-DATA match dscp cs1 class-map match-any SCAVENGER match dscp cs1 ! --- Apply QoS to Policy Profiles --- wireless profile policy POLICY-VOICE service-policy input PLATINUM-QOS service-policy output PLATINUM-QOS wireless profile policy POLICY-CORP service-policy input GOLD-QOS service-policy output GOLD-QOS wireless profile policy POLICY-IOT service-policy input SILVER-QOS service-policy output SILVER-QOS wireless profile policy POLICY-GUEST service-policy input BRONZE-QOS service-policy output BRONZE-QOS ! ============================================================================ ! ROGUE AP DETECTION AND CLASSIFICATION ! ============================================================================ wireless wps rogue ap aaa wireless wps rogue ap init-timer 120 wireless wps rogue ap alert-timer 300 wireless wps rogue ap timeout 1200 wireless wps rogue ap rldp retries 3 wireless wps rogue ap rldp auto-contain wireless wps rogue ap classification wireless wps rogue ap notify-syslog wireless wps rogue client aaa wireless wps rogue client alert-timer 300 wireless wps rogue client notify-syslog ! --- Rogue Rules --- wireless wps rogue rule ROGUE-RULE-MALICIOUS priority 1 condition ssid contains condition client-count min-threshold 1 match all classify malicious wireless wps rogue rule ROGUE-RULE-FRIENDLY priority 10 condition rssi min-threshold -90 match all classify friendly ! ============================================================================ ! CLIENT EXCLUSION POLICIES ! ============================================================================ wireless client exclusion dot11-assoc-fail 5 wireless client exclusion dot11-auth-fail 5 wireless client exclusion dot1x-auth-fail 3 wireless client exclusion ip-theft 0 wireless client exclusion web-auth-fail 3 ! ============================================================================ ! mDNS GATEWAY ! ============================================================================ mdns-sd gateway active-query timer 30 service-announcement-count 10 service-query-count 3 air-print-helper enable mdns-sd service-policy MDNS-CORP-POLICY service-list MDNS-CORP-LIST IN service-list MDNS-CORP-LIST OUT mdns-sd service-list MDNS-CORP-LIST IN match airplay match airprint match raop mdns-sd service-list MDNS-CORP-LIST OUT match airplay match airprint match raop wireless profile policy POLICY-CORP mdns-sd-interface gateway ! ============================================================================ ! MANAGEMENT FRAME PROTECTION (MFP) AND WIPS ! ============================================================================ wireless security dot11 management-frame-protection infrastructure client wireless wps ap-authentication wireless wps mfp infrastructure ! ============================================================================ ! LOGGING AND MONITORING ! ============================================================================ logging host logging trap informational logging source-interface Vlan logging buffered 65536 informational ! --- SNMPv3 --- snmp-server group WLCMON v3 priv snmp-server user WLCMON v3 auth sha priv aes 256 snmp-server host version 3 priv snmp-server enable traps snmp authentication linkup linkdown snmp-server enable traps wireless ! ============================================================================ ! SSH HARDENING ! ============================================================================ ip ssh version 2 ip ssh time-out 60 ip ssh authentication-retries 3 ip ssh source-interface Vlan crypto key generate rsa modulus 4096 no ip http server ip http secure-server ip http authentication local ip access-list standard SSH-ACCESS permit 0.0.0.255 deny any log line vty 0 15 access-class SSH-ACCESS in transport input ssh login authentication default exec-timeout 15 0 line con 0 exec-timeout 5 0 login authentication default ! ============================================================================ ! ADDITIONAL HARDENING ! ============================================================================ no service pad no ip source-route no ip finger no ip bootp server service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption login on-failure log login on-success log ! ============================================================================ ! VantagePoint Networks - End of WLC Configuration ! Deployment Checklist: ! 1. Replace ALL placeholders ! 2. Upload AP images to WLC flash ! 3. Configure uplink trunk ports on switches ! 4. Verify RADIUS server connectivity ! 5. Import SSL certificate for web auth ! 6. Pre-provision AP MAC addresses if required ! 7. Test each SSID authentication method ! 8. Validate QoS markings end-to-end ! 9. Tune RF profiles after site survey ! 10. Archive baseline with 'show running-config' ! ============================================================================