version 3.3 enable secret "6f984484019428c778fbf9e4127cd0bdb34a198673958abce6" telnet cli telnet soe hostname "Aruba-iLabs-NAC" clock timezone PST -8 location "Building1.floor1" mms config 0 controller config 184 netservice svc-snmp-trap udp 162 netservice svc-https tcp 443 netservice svc-dhcp udp 67 68 alg dhcp netservice svc-smb-tcp tcp 445 netservice svc-ike udp 500 netservice svc-l2tp udp 1701 netservice svc-syslog udp 514 netservice svc-pptp tcp 1723 netservice svc-telnet tcp 23 netservice svc-sccp tcp 2000 alg sccp netservice svc-tftp udp 69 alg tftp netservice svc-sip-tcp tcp 5060 netservice svc-kerberos udp 88 netservice svc-pop3 tcp 110 netservice svc-adp udp 8200 netservice svc-cfgm-tcp tcp 8211 netservice svc-noe udp 32512 alg noe netservice svc-http-proxy3 tcp 8888 netservice svc-dns udp 53 alg dns netservice svc-msrpc-tcp tcp 135 139 netservice svc-rtsp tcp 554 alg rtsp netservice svc-http tcp 80 netservice svc-vocera udp 5002 alg vocera netservice svc-h323-tcp tcp 1720 netservice svc-h323-udp udp 1718 1719 netservice svc-nterm tcp 1026 1028 netservice svc-sip-udp udp 5060 netservice svc-http-proxy2 tcp 8080 netservice svc-papi udp 8211 netservice svc-noe-oxo udp 5000 alg noe netservice svc-ftp tcp 21 alg ftp netservice svc-natt udp 4500 netservice svc-svp 119 alg svp netservice svc-gre 47 netservice svc-smtp tcp 25 netservice svc-smb-udp udp 445 netservice svc-sips tcp 5061 alg sips netservice svc-esp 50 netservice svc-bootp udp 67 69 netservice svc-snmp udp 161 netservice svc-v6-dhcp udp 546 547 netservice svc-icmp 1 netservice svc-ntp udp 123 netservice svc-msrpc-udp udp 135 139 netservice svc-ssh tcp 22 netservice svc-http-proxy1 tcp 3128 netservice svc-v6-icmp 58 netdestination Servers1 ! ip access-list session control user any udp 68 deny any any svc-dns permit any any svc-papi permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session validuser any any any permit ! ip access-list session vocera-acl any any svc-vocera permit queue high ! ip access-list session icmp-acl any any svc-icmp permit ! ip access-list session captiveportal user alias mswitch svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ! ip access-list session allowall any any any permit ! ip access-list session Admin-ACL any any any permit ! ip access-list session Guest-ACL any any udp 53 permit host 45.200.1.20 user any permit user host 45.200.1.20 any permit ! ip access-list session Healthy-Employees-ACL any host 45.200.1.2 udp 53 permit user host 45.200.1.19 any permit host 45.200.1.19 user any permit user host 45.200.1.20 any permit host 45.200.1.20 user any permit user host 45.200.1.21 any permit host 45.200.1.21 user any permit ! ip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ! ip access-list session https-acl any any svc-https permit ! ip access-list session dns-acl any any svc-dns permit ! ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit ! ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ! ip access-list session srcnat user any any src-nat ! ip access-list session skinny-acl any any svc-sccp permit queue high ! ip access-list session tftp-acl any any svc-tftp permit ! ip access-list session cplogout user alias mswitch svc-https dst-nat 8081 ! ip access-list session VoIP-Net-ACL any any udp 53 permit user host 45.200.1.22 any permit host 45.200.1.22 user any permit ! ip access-list session Servers-Healthy-employees any host 45.200.1.2 udp 53 permit user host 45.200.1.19 any permit any host 45.200.1.20 any permit host 45.200.1.20 any any permit host 45.200.1.19 user any permit ! ip access-list session guest ! ip access-list session dhcp-acl any any svc-dhcp permit ! ip access-list session http-acl any any svc-http permit ! ip access-list session Quarantine-ACL user host 45.200.1.19 any permit host 45.200.1.19 any any permit any host 45.200.1.2 udp 53 permit host 45.200.1.2 any udp 53 permit ! ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-snmp-trap permit user any svc-ntp permit ! ip access-list session svp-acl any any svc-svp permit queue high user host 224.0.1.116 any permit ! ip access-list session noe-acl any any svc-noe permit queue high ! ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ! ipv6 access-list session v6-icmp-acl any any svc-v6-icmp permit ! ipv6 access-list session v6-https-acl any any svc-https permit ! ipv6 access-list session v6-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit any any svc-tftp permit ! ipv6 access-list session v6-dhcp-acl any any svc-v6-dhcp permit ! ipv6 access-list session v6-dns-acl any any svc-dns permit ! ipv6 access-list session v6-allowall any any any permit ! ipv6 access-list session v6-http-acl any any svc-http permit ! ipv6 access-list session v6-tftp-acl any any svc-tftp permit ! ipv6 access-list session v6-logon-control user any udp 68 deny any any svc-v6-icmp permit any any svc-v6-dhcp permit any any svc-dns permit ! vpn-dialer default-dialer ike authentication PRE-SHARE 018b5b645c597e4f0095affcbd8789afb89ff997dc029440 ! user-role VOIP-NET session-acl VoIP-Net-ACL session-acl control ! user-role ap-role session-acl control session-acl ap-acl ! user-role guest-role-jms session-acl allowall ! user-role Administrator vlan 1000 session-acl allowall ! user-role trusted-ap session-acl allowall ! user-role default-vpn-role session-acl allowall ipv6 session-acl v6-allowall ! user-role Quarantine session-acl control session-acl Quarantine-ACL ! user-role voice session-acl sip-acl session-acl noe-acl session-acl svp-acl session-acl vocera-acl session-acl skinny-acl session-acl h323-acl session-acl dhcp-acl session-acl tftp-acl session-acl dns-acl session-acl icmp-acl ! user-role Healthy-Employees session-acl Healthy-Employees-ACL session-acl control ! user-role guest session-acl Guest-ACL session-acl http-acl session-acl https-acl session-acl dhcp-acl session-acl dns-acl ipv6 session-acl v6-http-acl ipv6 session-acl v6-https-acl ipv6 session-acl v6-dhcp-acl ipv6 session-acl v6-icmp-acl ipv6 session-acl v6-dns-acl ! user-role stateful-dot1x ! user-role authenticated session-acl allowall ipv6 session-acl v6-allowall ! user-role stateful session-acl control ! user-role logon session-acl logon-control session-acl captiveportal session-acl vpnlogon ipv6 session-acl v6-logon-control ! aaa derivation-rules user Guest set role condition essid equals "ilabs-nac-aruba-guest" set-value guest-role-jms ! aaa pubcookie-authentication ! interface mgmt shutdown ! vlan 20 vlan 30 vlan 40 vlan 1000 interface fastethernet 1/0 description "FE1/0" trusted switchport access vlan 1000 ! interface fastethernet 1/1 description "FE1/1" trusted switchport access vlan 1000 ! interface fastethernet 1/2 description "FE1/2" trusted switchport access vlan 1000 ! interface fastethernet 1/3 description "FE1/3" trusted ! interface fastethernet 1/4 description "FE1/4" trusted switchport access vlan 20 ! interface fastethernet 1/5 description "FE1/5" trusted ! interface fastethernet 1/6 description "FE1/6" trusted ! interface fastethernet 1/7 description "FE1/7" trusted ! interface gigabitethernet 1/8 description "GE1/8" trusted switchport mode trunk ! interface vlan 1 ! interface vlan 1000 ip address 45.200.1.89 255.255.255.0 ! interface vlan 20 ip address 45.200.20.89 255.255.255.0 ! interface vlan 40 ip address 45.200.40.89 255.255.255.0 ! interface vlan 30 ! ip default-gateway 45.200.1.1 wms general poll-interval 60000 general poll-retries 3 general ap-ageout-interval 30 general sta-ageout-interval 30 general learn-ap disable general persistent-known-interfering enable general propagate-wired-macs enable general stat-update enable general collect-stats disable ! no crypto-local isakmp permit-invalid-cert localip 0.0.0.0 ipsec 97ccab5db95ed4dd0012878759bf310f3d777ebaea0cd515 crypto isakmp groupname changeme crypto-local isakmp dpd idle-timeout 22 retry-timeout 2 retry-attempts 3 crypto-local isakmp xauth vpdn group l2tp ppp authentication PAP ! vpdn group pptp ppp authentication MSCHAPv2 ! mux-address 0.0.0.0 adp discovery enable adp igmp-join enable adp igmp-vlan 0 ssh mgmt-auth username/password mgmt-user admin root 6f7dd29c01044cc0ae67fcfe2b90c94a96c92fe0fda6c4fa1f no database synchronize database synchronize rf-plan-data ip mobile domain default ! ip igmp ! packet-capture-defaults tcp disable udp disable sysmsg disable other disable ! ip domain lookup ! country US aaa authentication mac "default" ! aaa authentication dot1x "default" ! aaa authentication-server radius "iLabs-NAC" host 45.200.1.74 key abdc0bb95469f6f6b0a6c2dd509f1ca817f8037c518837df nas-identifier "45.200.1.89" nas-ip 45.200.1.89 ! aaa server-group "default" auth-server Internal set role condition role value-of ! aaa server-group "iLbas-NAC" auth-server iLabs-NAC set role condition Class equals "1" set-value Healthy-Employees set role condition Class equals "3" set-value guest set role condition Class equals "5" set-value Administrator set role condition Class equals "4" set-value VOIP-NET set role condition Class equals "2" set-value Quarantine set role condition Callback-Number equals "1" set-value Healthy-Employees set role condition Callback-Number equals "2" set-value Quarantine set role condition Callback-Number equals "3" set-value guest set role condition Callback-Number equals "4" set-value VOIP-NET set role condition Callback-Number equals "5" set-value Administrator ! aaa profile "default" ! aaa profile "iLabs-NAC-Auth" authentication-dot1x "default" dot1x-server-group "iLbas-NAC" ! aaa profile "iLabs-NAC-guest" authentication-dot1x "default-psk" user-derivation-rules "Guest" ! aaa authentication captive-portal "default" ! aaa authentication vpn ! aaa authentication mgmt ! aaa authentication stateful-dot1x ! aaa authentication wired ! web-server ! ap system-profile "default" ! ap regulatory-domain-profile "default" country-code US ! ap wired-ap-profile "default" ! ap enet-link-profile "default" ! ap snmp-profile "default" ! ids general-profile "default" ! ids unauthorized-device-profile "default" ! ids profile "default" ! rf arm-profile "default" ! rf optimization-profile "default" ! rf event-thresholds-profile "default" ! rf dot11a-radio-profile "default" ! rf dot11g-radio-profile "default" no radio-enable ! wlan ht-ssid-profile "default" ! wlan ssid-profile "default" ! wlan ssid-profile "ilabs-guest-Aruba" essid "ilabs-nac-aruba-guest" opmode wpa-psk-tkip wpa-passphrase 6f4c587bed33fb7eb796e6c86f499f0cb858ba632e96eed5 ! wlan ssid-profile "iLabs-NAC-Aruba" essid "ilabs-nac-aruba" opmode wpa-aes wpa2-aes wpa2-tkip ! wlan virtual-ap "default" ! wlan virtual-ap "iLabs-Guest" ssid-profile "ilabs-guest-Aruba" vlan 40 aaa-profile "iLabs-NAC-guest" ! wlan virtual-ap "iLabs-NAC" ssid-profile "iLabs-NAC-Aruba" vlan 20 aaa-profile "iLabs-NAC-Auth" ! ap-group "default" virtual-ap "default" ! ap-group "iLabs-NAC" virtual-ap "iLabs-NAC" virtual-ap "iLabs-Guest" ! end