Windows 10 includes a feature that allows you to create a detailed report of the Wi-Fi connection history that can help to ease the process. The report provides information about each adapter, error events, as well as information about networks you have connected and session durations, which you can use to diagnose and solve connectivity related problems.
Steps
Open an elevated command prompt.
Start -> cmd -> right click and choose to run as admin
Commands
netsh wlan show wlanreport
Go to the file path in windows file explorer and you can then view the report for the computers wireless interface.
Configure a native supplicant profile for wireless clients
Configure a BYOD Portal for onboarding
Create the authentication policy that allows users to log in
Configure authorization policy that permits access to resources
Configure ACLs on WLC
Users will connect to the BYOD WLAN. If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password. Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA). This will disconnect the client and they will immediately re-associate to the WLAN using the new certificate.
Certificate Template
This is the certificate that clients will download when attempting to connect to the SSID “MGMT”.
Go to: Administration > System > Certificates > Certificate Authority > Certificate Templates
Select EAP_Authentication_Certificate_Template and Click Duplicate
Enter the name BYOD_EAP_Authentication_Certificate_Template
Edit the Organizational Unit and Organization
Set SCEP RA Profile to ISE Internal CA
Click Submit
Native Supplicant Profile
This is the wireless profile the device will use to connect to the WLAN once the device is onboarded.
Go to: Policy > Policy Element > Results > Client Provisioning > Resources
Click Add > Native Supplicant Profile
Enter a Name (BYOD_EAP_TLS_NSP)
Click Add under Wireless Profile
Enter the SSID
Set Security to WPA2 Enterprise
Set Allowed Protocol to TLS
Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template
Click Submit
Client Provisioning Policy
This determines which Native Supplicant Profile gets installed on which type of device.
Policy > Client Provisioning
Edit each type of device with the Native Supplicant Profile that you created earlier
(Set Results to BYOD_EAP_TLS_NSP)
Click Save
BYOD Portal
This is the web page the user is redirected to in order to “onboard” their device.
Enter the Join Point Name (For instance, wifiworkshop_AD)
Enter the Active Directory Domain
Click Submit
Once the Join Point is created, Click the Groups Tab
Add AD Groups of users who will be allowed to onboard their device.
Authentication Policy
Policy > Policy Sets > Wireless Devices
Create an Authentication Policy above the default rule
Set the Condition to Radius:Called-Station-ID contains Mgmt
Set the Allowed Protocols to Default Network Access
Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “Ge_Cert_CommonName”
Click the drop-down arrow next to Actions and Insert Row Above the Default Rule
Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “Ge”
Set the Default Rule to Deny Access
Authorization Profile
Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
Click Add
Enter a Name (BYOD_NSP_AuthZ_Profile)
Select Web Redirection (CWA, MDM, NSP, CPP)
Set it to Native Supplicant Provisioning
Create an ACL named BYOD_REDIRECT
Set the Value BYOD WEB PAGE
Authorization Profile for Android Devices
Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
Click Add
Enter a Name (BYOD_NSP_Google_AuthZ_Profile)
Select Web Redirection (CWA, MDM, NSP, CPP)
Set it to Native Supplicant Provisioning
Manually type in BYOD_Google_REDIRECT for the ACL
(You’ll create the ACL on the WLC later)
Set the Value BYOD WEB PAGE
Authorization Policy for Android Devices
Work Centers > BYOD > Policy Sets
Create a new Authorization Policy Rule above the default rule
Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android
Set Permissions to BYOD_NSP_Google_AuthZ_Profile
Authorization Policy for all other devices
Work Centers > BYOD > Policy Sets
Create a new Authorization Policy Rule above the default rule
Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2
Set Permissions to Ge_NSP_AuthZ_Profile
Add the ACL to the WLC
Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal
Log into the WLC
Security > Access Control Lists > Access Control Lists
Click New
Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)
Click on the BYOD_DIRECT acl and click Add New Rule
Create Rule to permit traffic all traffic outbound from controller
Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes
Create Rule to permit UDP traffic to DNS
Create Rule to permit UDP traffic to DHCP (I believe DHCP is allowed by default, so you may not need this rule.)
The root cause of the issue is 8.5 and later versions need to use c3700 / cx700 to join ME. If your AP version is lower than 8.5 you need to upgrade to ap3g2 and then upgrade to c3700.
After that, you can successfully join the WLC.
TFTP Server
For my TFTP server I am using a Synology NAS and running the TFTP Service:
How to setup Synology NAS TFTP
Cisco AP Process
Power the AP off and hold down the mode button.
While the mode button is pressed down hold it and power the AP back on.
Continue to hold the mode button down until the AP’s light goes solid red.
Once the AP is red lit, let go and console into the AP using your console cable.
Commands
set IP_ADDR <DEVICE IP ADDRESS>
set NETMASK <SUBNET>
set DEFAULT_GATEWAY <GATEWAY IP>
tftp_init
ether_init
flash_init
tar -xtract tftp://<TFTP SERVER IP>/<.TAR FILE> flash:
set BOOT flash:/<.TAR FILE>
Example
set IP_ADDR 10.0.30.53
set NETMASK 255.255.255.0
set DEFAULT_ROUTER 10.0.30.1
tftp_init
ether_init
flash_init
tar -xtract tftp://10.0.30.14/ap3g2-rcvk9w8-tar.153-3.JF10.tar flash:
set BOOT flash:/ap3g2-rcvk9w8-mx
My TFTP server is 10.0.30.14
The subnet is a /24
The gateway is 10.0.30.1
initialize tftp, ether and flash services on the AP
Extract the tar file in the TFTP servers root directory (the file is named ap3g2-rcvk9w8-tar.153-3.JF10.tar ) and we are extracting the file into our flash directory.
***DURING THE TAR EXTRACT PROCESS CONTINUE TO HIT SPACE BAR EVERY 1 – 2 SECONDS*** if not than you can receive a premature error.
Set the boot file location and let the AP sit for 5 minutes after finished booting new image you should be able to see it on the WLC and it will be in a Registered State.
WLC GUI – AFTERMATH
Now we can update the AP name, location, set a static IP for the device.
Hardcode the controllers.
The Access Point has now been successfully upgraded and is now registered to the Virutal wireless LAN controller.
