version 3.3
enable secret "d4bb389e01d03ed8dd220e823b45663b66d63e1072be39ed96"
telnet cli
telnet soe
hostname "Aruba-NAC"
clock summer-time PDT recurring first sunday april 02:00 last sunday october 02:00

clock timezone PST -8
location "InteropNAC" 
mms config 0
controller config 51

netservice svc-snmp-trap udp 162
netservice svc-syslog udp 514
netservice svc-l2tp udp 1701
netservice svc-ike udp 500
netservice svc-https tcp 443
netservice svc-smb-tcp tcp 445
netservice svc-dhcp udp 67 68
netservice svc-pptp tcp 1723
netservice svc-sccp tcp 2000
netservice svc-telnet tcp 23
netservice svc-sip-tcp tcp 5060
netservice svc-tftp udp 69
netservice svc-kerberos udp 88
netservice svc-noe udp 32512
netservice svc-adp udp 8200
netservice svc-pop3 tcp 110
netservice svc-rtsp tcp 554
netservice svc-msrpc-tcp tcp 135 139
netservice svc-dns udp 53
netservice svc-vocera udp 5002
netservice svc-http tcp 80
netservice svc-sip-udp udp 5060
netservice svc-nterm tcp 1026 1028
netservice svc-papi udp 8211
netservice svc-natt udp 4500
netservice svc-ftp tcp 21
netservice svc-svp 119
netservice svc-smtp tcp 25
netservice svc-gre 47
netservice svc-smb-udp udp 445
netservice svc-esp 50
netservice svc-snmp udp 161
netservice svc-bootp udp 67 69
netservice svc-msrpc-udp udp 135 139
netservice svc-ntp udp 123
netservice svc-icmp 1
netservice svc-ssh tcp 22
ip access-list session control
  user any udp 68 deny 
  any any svc-icmp permit 
  any any svc-dns permit 
  any any svc-papi permit 
  any any svc-adp permit 
  any any svc-tftp permit 
  any any svc-dhcp permit 
  any any svc-natt permit 
!
ip access-list session validuser
  any any any permit 
!
ip access-list session vocera-acl
  any any svc-vocera permit queue high 
!
ip access-list session captiveportal
  user   alias mswitch svc-https dst-nat 8081 
  user any svc-http dst-nat 8080 
  user any svc-https dst-nat 8081 
!
ip access-list session allowall
  any any any permit 
!
ip access-list session https-acl
  any any svc-https permit 
!
ip access-list session sip-acl
  any any svc-sip-udp permit queue high 
  any any svc-sip-tcp permit queue high 
!
ip access-list session dns-acl
  any any svc-dns permit 
!
ip access-list session tftp-acl
  any any svc-tftp permit 
!
ip access-list session skinny-acl
  any any svc-sccp permit queue high 
!
ip access-list session srcnat
  user any any src-nat 
!
ip access-list session vpnlogon
  any any svc-ike permit 
  any any svc-esp permit 
  any any svc-l2tp permit 
  any any svc-pptp permit 
  any any svc-gre permit 
!
ip access-list session cplogout
  user   alias mswitch svc-https dst-nat 8081 
!
ip access-list session guest
!
ip access-list session http-acl
  any any svc-http permit 
!
ip access-list session dhcp-acl
  any any svc-dhcp permit 
!
ip access-list session svp-acl
  any any svc-svp permit queue high 
  user host 224.0.1.116 any permit 
!
ip access-list session ap-acl
  any any svc-gre permit 
  any any svc-syslog permit 
  any user svc-snmp permit 
  user any svc-snmp-trap permit 
  user any svc-ntp permit 
!
vpn-dialer default-dialer
  ike authentication PRE-SHARE ebe11f54924ebf3b7d6949bd4dff172e3fa77f0debfb5a46
!
user-role ap-role
 session-acl control
 session-acl ap-acl
!
user-role pre-employee
 session-acl allowall
!
user-role allow-all-everywhere
 session-acl allowall
!
user-role trusted-ap
 session-acl allowall
!
user-role default-vpn-role
 session-acl allowall
!
user-role guest
 session-acl control
 session-acl cplogout
!
user-role stateful-dot1x
!
user-role stateful
 session-acl control
!
user-role pre-voice
 session-acl sip-acl
 session-acl svp-acl
 session-acl vocera-acl
 session-acl skinny-acl
 session-acl dhcp-acl
 session-acl tftp-acl
 session-acl dns-acl
!
user-role logon
 captive-portal default
 session-acl control
 session-acl captiveportal
 session-acl vpnlogon
!
user-role pre-guest
 session-acl http-acl
 session-acl https-acl
 session-acl dhcp-acl
 session-acl dns-acl
!
aaa derivation-rules user default
  set role condition essid equals "nacwpa.11a" set-value allow-all-everywhere 
! 
aaa pubcookie-authentication
!

no spanning-tree
interface mgmt
	shutdown
!

vlan 1000


interface fastethernet 1/0
	description "fe1/0"
	trusted
	switchport access vlan 1000
	no spanning-tree
!

interface fastethernet 1/1
	description "fe1/1"
	trusted
	switchport access vlan 1000
	spanning-tree portfast
!

interface fastethernet 1/2
	description "fe1/2"
	trusted
!

interface fastethernet 1/3
	description "fe1/3"
	trusted
!

interface fastethernet 1/4
	description "fe1/4"
	trusted
!

interface fastethernet 1/5
	description "fe1/5"
	trusted
!

interface fastethernet 1/6
	description "fe1/6"
	trusted
!

interface fastethernet 1/7
	description "Untagged uplink (temporary)"
	trusted
	no spanning-tree
!

interface gigabitethernet  1/8
	description "Tagged uplink Gig"
	trusted
	switchport mode trunk
	no spanning-tree
!

interface vlan 1
	shutdown
!

interface vlan 1000
	ip address 45.200.1.79 255.255.255.0
!
ip default-gateway 45.200.1.1

wms
 general poll-interval 60000
 general poll-retries 2
 general ap-ageout-interval 30
 general sta-ageout-interval 30
 general learn-ap disable
 general persistent-known-interfering disable
 general propagate-wired-macs enable
 general stat-update enable
 general collect-stats disable
!
no crypto-local isakmp permit-invalid-cert
localip 0.0.0.0 ipsec 051f6d470ab0334777023df5adcb0e8d9aa23cd2ae162f54
crypto isakmp groupname changeme
crypto-local isakmp dpd idle-timeout 22 retry-timeout 2 retry-attempts 3
crypto-local isakmp xauth

vpdn group l2tp
  ppp authentication PAP
!

  

vpdn group pptp
  ppp authentication MSCHAPv2
!

mux-address 0.0.0.0

adp discovery enable
adp igmp-join enable
adp igmp-vlan 0



ssh mgmt-auth username/password 
mgmt-user admin root c205b42901d7efd4aea3abaa2a036d9de42a1ad75ccdc3216b

ntp server 45.200.1.2 


no database synchronize
database synchronize rf-plan-data

ip mobile domain default
!

ip igmp
!

packet-capture-defaults tcp disable udp disable sysmsg disable other disable
!
ip domain lookup
!
country US
aaa authentication mac "default"
!
aaa authentication dot1x "default"
   machine-authentication machine-default-role "allow-all-everywhere"
   machine-authentication user-default-role "allow-all-everywhere"
!
aaa server-group "default"
 auth-server Internal
!
aaa profile "AllowAnyAccess"
   initial-role "allow-all-everywhere"
   mac-default-role "allow-all-everywhere"
   authentication-dot1x "default"
   dot1x-default-role "allow-all-everywhere"
!
aaa profile "default"
   user-derivation-rules "default"
!
aaa profile "default-wired"
   user-derivation-rules "default"
!
aaa authentication captive-portal "default"
!
aaa authentication vpn
!
aaa authentication mgmt
   enable
!
aaa authentication stateful-dot1x
!
aaa authentication wired
   profile "default-wired"
!
web-server
!
ap system-profile "default"
   bootstrap-threshold 7
!
ap regulatory-domain-profile "default"
   country-code US
   valid-11g-channel 1
   valid-11g-channel 6
   valid-11g-channel 11
   valid-11a-channel 36
   valid-11a-channel 40
   valid-11a-channel 44
   valid-11a-channel 48
   valid-11a-channel 149
   valid-11a-channel 153
   valid-11a-channel 157
   valid-11a-channel 161
!
ap wired-ap-profile "default"
!
ap enet-link-profile "default"
!
ap snmp-profile "default"
!
ids general-profile "default"
!
ids unauthorized-device-profile "default"
!
ids profile "default"
!
rf arm-profile "default"
   assignment disable
   no multi-band-scan
   no scanning
   ideal-coverage-index 5
   acceptable-coverage-index 2
   error-rate-threshold 0
   noise-threshold 0
!
rf optimization-profile "default"
   ap-lb-user-high-wm 255
   ap-lb-user-low-wm 230
   ap-lb-util-high-wm 90
   ap-lb-util-low-wm 80
   ap-lb-util-wait-time 30
   interference-exceed-time 30
   interference-baseline-time 30
   rssi-falloff-wait-time 4
   low-rssi-threshold 20
   rssi-check-frequency 3
!
rf event-thresholds-profile "default"
   fer-high-wm 0
   fer-low-wm 0
   ffr-high-wm 16
   ffr-low-wm 8
   flsr-high-wm 16
   flsr-low-wm 8
   frer-high-wm 16
   frer-low-wm 8
   frr-high-wm 16
   frr-low-wm 8
!
rf dot11a-radio-profile "default"
!
rf dot11g-radio-profile "default"
   channel 1
!
rf dot11g-radio-profile "Disabled"
   no radio-enable
!
wlan ht-ssid-profile "default"
!
wlan ssid-profile "default"
!
wlan ssid-profile "default-a_=U=NACWPA-A"
   essid "NACWPA-A"
   opmode wpa-psk-tkip
   deny-bcast
   wpa-passphrase 184f86fc4dd47ceb0a5a309ea3fcbca070a5093c10356333
!
wlan ssid-profile "NACWPA-A-only"
   essid "nacwpa.11a"
   opmode wpa-psk-tkip
   wpa-passphrase 801beb7eb0cd143f5fb5e61347ad75ec01a6071853cdb29c
!
wlan virtual-ap "default"
   no blacklist
   auth-failure-blacklist-time 0
   strict-compliance
!
wlan virtual-ap "default-a_=U=NACWPA-A"
   allowed-band a
   ssid-profile "default-a_=U=NACWPA-A"
   vlan 1000
   no blacklist
   auth-failure-blacklist-time 0
   strict-compliance
!
wlan virtual-ap "NACWPA-A"
   ssid-profile "NACWPA-A-only"
   aaa-profile "AllowAnyAccess"
!
ap-group "default"
   virtual-ap "NACWPA-A"
   ids-profile "default"
!
end