From eee3f9837e0b980fb41f09ead63c28cc41ad45ba Mon Sep 17 00:00:00 2001 From: John Poland Date: Mon, 7 Apr 2025 20:08:20 -0400 Subject: [PATCH] wlc/wlc-mm-2.cfg Mon Apr 7 08:08:20 PM EDT 2025 --- configs/wlc/wlc-mm-2.cfg | 1546 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 1546 insertions(+) create mode 100644 configs/wlc/wlc-mm-2.cfg diff --git a/configs/wlc/wlc-mm-2.cfg b/configs/wlc/wlc-mm-2.cfg new file mode 100644 index 0000000..71c17f2 --- /dev/null +++ b/configs/wlc/wlc-mm-2.cfg @@ -0,0 +1,1546 @@ +show running + Building Configuration... + +version 8.10 +hostname "NOC-ARUBA-MM-2" +clock timezone America/New_York -04 0 +! +location "Building1.floor1" +controller config 625 +crypto-local pki ServerCert scsd_wc2_full_2025 Star-Exp042025-fullchain.pfx +crypto-local pki ServerCert scsd_wc2_full_2026 StarCert-Ex03_26_fullchain.pfx +crypto-local pki ServerCert scsd_wildcard_2025 StartCert-Expire042025.pfx +crypto-local pki ServerCert scsd_wildcard_2026 StarCert-Ex03_26_fullchain.pfx +crypto-local pki PublicCert master-ssh-pub-cert master-ssh-pub-cert +ip nat pool dynamic-srcnat 0.0.0.0 0.0.0.0 +ip nat pool localip 0.0.0.0 0.0.0.0 +ip access-list eth validuserethacl + permit any +! +ip access-list geolocation global-geolocation-acl +! +netservice svc-snmp-trap udp 162 +netservice svc-netbios-dgm udp 138 +netservice svc-pcoip2-tcp tcp 4172 +netservice svc-facetime-tcp tcp 5223 ALG facetime +netservice svc-https tcp 443 +netservice svc-dhcp udp 67 68 ALG dhcp +netservice svc-ike udp 500 +netservice svc-smb-tcp tcp 445 +netservice svc-l2tp udp 1701 +netservice svc-citrix tcp 2598 +netservice svc-syslog udp 514 +netservice svc-ica tcp 1494 +netservice svc-pptp tcp 1723 +netservice svc-telnet tcp 23 +netservice svc-sccp tcp 2000 ALG sccp +netservice svc-sec-papi udp 8209 +netservice svc-tftp udp 69 ALG tftp +netservice svc-sip-tcp tcp 5060 ALG sip +netservice svc-lpd tcp 515 +netservice svc-web tcp list "80 443" +netservice svc-kerberos udp 88 +netservice svc-netbios-ssn tcp 139 +netservice svc-pcoip-udp udp 50002 +netservice svc-pop3 tcp 110 +netservice svc-pcoip-tcp tcp 50002 +netservice svc-http-proxy3 tcp 8888 +netservice svc-adp udp 8200 +netservice svc-cfgm-tcp tcp 8211 +netservice svc-noe udp 32512 ALG noe +netservice svc-dns udp 53 ALG dns +netservice svc-rtsp tcp 554 ALG rtsp +netservice svc-msrpc-tcp tcp 135 139 +netservice svc-h323-tcp tcp 1720 ALG h323 +netservice svc-vocera udp 5002 ALG vocera +netservice svc-http tcp 80 +netservice svc-h323-udp udp 1718 1719 ALG h323 +netservice vnc tcp 5900 5905 +netservice svc-nterm tcp 1026 1028 +netservice svc-http-proxy2 tcp 8080 +netservice svc-sip-udp udp 5060 ALG sip +netservice svc-noe-oxo udp 5000 ALG noe +netservice svc-papi udp 8211 +netservice svc-natt udp 4500 +netservice svc-ftp tcp 21 ALG ftp +netservice svc-svp 119 ALG svp +netservice svc-microsoft-ds tcp 445 +netservice svc-gre 47 +netservice svc-smtp tcp 25 +netservice svc-sips tcp 5061 ALG sips +netservice svc-netbios-ns udp 137 +netservice svc-smb-udp udp 445 +netservice svc-esp 50 +netservice svc-ipp-tcp tcp 631 +netservice svc-pcoip2-udp udp 4172 +netservice svc-snmp udp 161 +netservice svc-bootp udp 67 69 +netservice svc-v6-dhcp udp 546 547 +netservice svc-icmp 1 +netservice svc-ntp udp 123 +netservice svc-msrpc-udp udp 135 139 +netservice svc-ssh tcp 22 +netservice svc-ipp-udp udp 631 +netservice svc-http-proxy1 tcp 3128 +netservice svc-v6-icmp 58 +netservice svc-vmware-rdp tcp 3389 +netdestination6 ipv6-reserved-range + invert + network 2000::/3 +! +netdestination wificalling-block + name pub.3gppnetwork.org + name vowifi.com +! +netexthdr default +! +time-range periodic night-hours + Weekday 18:01 to 23:59 + Weekday 00:00 to 07:59 +! +time-range periodic working-hours + Weekday 08:00 to 18:00 +! +ip access-list session control + user any udp 68 deny + any any svc-icmp permit + any any svc-dns permit + any any svc-papi permit + any any svc-sec-papi permit + any any svc-cfgm-tcp permit + any any svc-adp permit + any any svc-tftp permit + any any svc-dhcp permit + any any svc-natt permit + any any tcp 6633 permit +! +ip access-list session v6-icmp-acl + ipv6 any any svc-v6-icmp permit +! +ip access-list session allow-diskservices + any any svc-netbios-dgm permit + any any svc-netbios-ssn permit + any any svc-microsoft-ds permit + any any svc-netbios-ns permit +! +ip access-list session validuser + network 127.0.0.0 255.0.0.0 any any deny + network 169.254.0.0 255.255.0.0 any any deny + network 224.0.0.0 240.0.0.0 any any deny + host 255.255.255.255 any any deny + network 240.0.0.0 240.0.0.0 any any deny + any any any permit + ipv6 host fe80:: any any deny + ipv6 network fc00::/7 any any permit + ipv6 network fe80::/64 any any permit + ipv6 alias ipv6-reserved-range any any deny + ipv6 any any any permit +! +ip access-list session vocera-acl + any any svc-vocera permit queue high +! +ip access-list session v6-https-acl + ipv6 any any svc-https permit +! +ip access-list session voip-applications-acl + any any app alg-skype4b-audio permit + any any app alg-skype4b-video permit + any any app alg-skype4b-desktop-sharing permit + any any app alg-skype4b-app-sharing permit + any any app alg-sip-audio permit + any any app alg-sip-video permit + any any app alg-sccp permit + any any app alg-vocera permit + any any app alg-noe permit + any any app alg-h323 permit + any any app alg-jabber-audio permit + any any app alg-jabber-video permit + any any app alg-jabber-desktop-sharing permit + any any app alg-facetime permit + any any app alg-wifi-calling permit + any any app alg-webrtc-audio permit + any any app alg-webrtc-video permit + any any app alg-teams-audio permit + any any app alg-teams-video permit + any any app alg-rtp permit +! +ip access-list session vmware-acl + any any svc-vmware-rdp permit tos 46 dot1p-priority 6 + any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 + any any svc-pcoip-udp permit tos 46 dot1p-priority 6 + any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 + any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 +! +ip access-list session icmp-acl + any any svc-icmp permit +! +ip access-list session apprf-default-vpn-role-sacl +! +ip access-list session apprf-logon-sacl +! +ip access-list session v6-control + ipv6 user any udp 546 deny + ipv6 any any svc-v6-icmp permit + ipv6 any any svc-dns permit + ipv6 any any svc-papi permit + ipv6 any any svc-sec-papi permit + ipv6 any any svc-cfgm-tcp permit + ipv6 any any svc-adp permit + ipv6 any any svc-tftp permit + ipv6 any any svc-v6-dhcp permit + ipv6 any any svc-natt permit + ipv6 any any svc-dhcp permit +! +ip access-list session jabber-acl + any any tcp 5222 permit + any any tcp 8443 permit +! +ip access-list session apprf-authenticated-sacl +! +ip access-list session apprf-switch-logon-sacl +! +ip access-list session apprf-stateful-dot1x-sacl +! +ip access-list session v6-dhcp-acl + ipv6 any any svc-v6-dhcp permit +! +ip access-list session captiveportal + user alias controller svc-https dst-nat 8081 + user any svc-http dst-nat 8080 + user any svc-https dst-nat 8081 + user any svc-http-proxy1 dst-nat 8088 + user any svc-http-proxy2 dst-nat 8088 + user any svc-http-proxy3 dst-nat 8088 +! +ip access-list session wificalling-acl + any any tcp 443 permit +! +ip access-list session allowall + any any any permit + ipv6 any any any permit +! +ip access-list session v6-dns-acl + ipv6 any any svc-dns permit +! +ip access-list session facetime-acl + any any svc-facetime-tcp permit queue high + any any udp 3478 3497 permit + any any udp 16384 16387 permit + any any udp 16393 16402 permit +! +ip access-list session apprf-voice-sacl +! +ip access-list session skype4b-acl + any any svc-sips permit + any any svc-https permit +! +ip access-list session apprf-default-iap-user-role-sacl +! +ip access-list session captiveportalbridge + user alias localip svc-https dual-nat pool localip 8081 + user any svc-http dual-nat pool localip 8080 + user any svc-https dual-nat pool localip 8081 + user any svc-http-proxy1 dual-nat pool localip 8088 + user any svc-http-proxy2 dual-nat pool localip 8088 + user any svc-http-proxy3 dual-nat pool localip 8088 +! +ip access-list session wan-uplink-protect-acl + any any sys-svc-dhcp permit + ipv6 any any sys-svc-v6-dhcp permit + any any sys-svc-esp permit + any any sys-svc-natt permit + any any sys-svc-ike permit + any any sys-svc-icmp permit + ipv6 any any sys-svc-icmp6 permit +! +ip access-list session sip-acl + any any svc-sip-udp permit queue high + any any svc-sip-tcp permit queue high +! +ip access-list session https-acl + any any svc-https permit +! +ip access-list session citrix-acl + any any svc-citrix permit tos 46 dot1p-priority 6 + any any svc-ica permit tos 46 dot1p-priority 6 +! +ip access-list session ra-guard + ipv6 user any icmpv6 rtr-adv deny +! +ip access-list session dns-acl + any any svc-dns permit +! +ip access-list session allow-printservices + any any svc-lpd permit + any any svc-ipp-tcp permit + any any svc-ipp-udp permit +! +ip access-list session skinny-acl + any any svc-sccp permit queue high +! +ip access-list session logon-control + user any udp 68 deny + any any svc-icmp permit + any any svc-dns permit + any any svc-dhcp permit + any any svc-natt permit + any network 169.254.0.0 255.255.0.0 any deny + any network 240.0.0.0 240.0.0.0 any deny +! +ip access-list session v6-allowall + ipv6 any any any permit +! +ip access-list session tftp-acl + any any svc-tftp permit +! +ip access-list session vpnlogon + user any svc-ike permit + user any svc-esp permit + any any svc-l2tp permit + any any svc-pptp permit + any any svc-gre permit +! +ip access-list session srcnat + user any any src-nat +! +ip access-list session wificalling-block + any alias wificalling-block any deny +! +ip access-list session cplogout + user alias controller svc-https dst-nat 8081 +! +ip access-list session captiveportal6 + ipv6 user alias controller6 svc-https captive + ipv6 user any svc-http captive + ipv6 user any svc-https captive + ipv6 user any svc-http-proxy1 captive + ipv6 user any svc-http-proxy2 captive + ipv6 user any svc-http-proxy3 captive +! +ip access-list session http-acl + any any svc-http permit +! +ip access-list session apprf-default-via-role-sacl +! +ip access-list session dhcp-acl + any any svc-dhcp permit +! +ip access-list session v6-http-acl + ipv6 any any svc-http permit +! +ip access-list session stateful-dot1x + any any svc-dns permit + any any svc-dhcp permit +! +ip access-list session apprf-ap-role-sacl +! +ip access-list session apprf-guest-sacl +! +ip access-list session ap-uplink-acl + any any udp 68 permit + any any svc-icmp permit + any host 224.0.0.251 udp 5353 permit + ipv6 any any udp 546 permit + ipv6 any any svc-v6-icmp permit + ipv6 any host ff02::fb udp 5353 permit +! +ip access-list session apprf-guest-logon-sacl +! +ip access-list session noe-acl + any any svc-noe permit queue high +! +ip access-list session ap-acl + any any svc-gre permit + any any svc-syslog permit + any user svc-snmp permit + user any svc-snmp-trap permit + user any svc-ntp permit + user any svc-ftp permit + user any svc-telnet deny +! +ip access-list session logon-control-bridge + user any udp 68 deny + any any svc-icmp src-nat + any any svc-dns src-nat + any any svc-dhcp permit + any network 169.254.0.0 255.255.0.0 any deny + any network 240.0.0.0 240.0.0.0 any deny +! +ip access-list session svp-acl + any any svc-svp permit queue high + user host 224.0.1.116 any permit +! +ip access-list session global-sacl +! +ip access-list session v6-ap-acl + ipv6 any any svc-gre permit + ipv6 any any svc-syslog permit + ipv6 any user svc-snmp permit + ipv6 user any svc-snmp-trap permit + ipv6 user any svc-ntp permit + ipv6 user any svc-ftp permit +! +ip access-list session apprf-sys-switch-role-sacl +! +ip access-list session h323-acl + any any svc-h323-tcp permit queue high + any any svc-h323-udp permit queue high +! +ip access-list session v6-logon-control + ipv6 user any udp 546 deny + ipv6 any any svc-v6-icmp permit + ipv6 any any svc-v6-dhcp permit + ipv6 any any svc-dns permit + ipv6 any network fc00::/7 any permit + ipv6 any network fe80::/64 any permit + ipv6 any alias ipv6-reserved-range any deny +! +ip access-list session apprf-sys-ap-role-sacl +! +ip access-list route uplink-lb-cfg-racl +! +ip access-list route master-boc-traffic +! +vpn-dialer default-dialer + ike authentication pre-share ****** +! +user-role ap-role + no openflow-enable + access-list session ra-guard + access-list session control + access-list session ap-acl + access-list session v6-control + access-list session v6-ap-acl +! +user-role denyall +! +user-role default-vpn-role + access-list session global-sacl + access-list session apprf-default-vpn-role-sacl + access-list session ra-guard + access-list session allowall + access-list session v6-allowall +! +user-role sys-switch-role +! +user-role sys-ap-role + no openflow-enable +! +user-role voice + access-list session global-sacl + access-list session apprf-voice-sacl + access-list session ra-guard + access-list session sip-acl + access-list session noe-acl + access-list session svp-acl + access-list session vocera-acl + access-list session skinny-acl + access-list session h323-acl + access-list session dhcp-acl + access-list session tftp-acl + access-list session dns-acl + access-list session icmp-acl + access-list session http-acl + access-list session https-acl + access-list session skype4b-acl + access-list session facetime-acl + access-list session jabber-acl + access-list session wificalling-acl + access-list session voip-applications-acl +! +user-role default-via-role + access-list session global-sacl + access-list session apprf-default-via-role-sacl + access-list session allowall + access-list session v6-allowall +! +user-role switch-logon +! +user-role guest-logon + captive-portal "default" + access-list session ra-guard + access-list session logon-control + access-list session captiveportal + access-list session v6-logon-control + access-list session captiveportal6 +! +user-role guest + access-list session global-sacl + access-list session apprf-guest-sacl + access-list session ra-guard + access-list session http-acl + access-list session https-acl + access-list session dhcp-acl + access-list session icmp-acl + access-list session dns-acl + access-list session v6-http-acl + access-list session v6-https-acl + access-list session v6-dhcp-acl + access-list session v6-icmp-acl + access-list session v6-dns-acl +! +user-role stateful-dot1x + access-list session global-sacl + access-list session apprf-stateful-dot1x-sacl +! +user-role authenticated + access-list session global-sacl + access-list session apprf-authenticated-sacl + access-list session ra-guard + access-list session allowall + access-list session v6-allowall +! +user-role default-iap-user-role + access-list session allowall +! +user-role logon + access-list session ra-guard + access-list session logon-control + access-list session captiveportal + access-list session vpnlogon + access-list session v6-logon-control + access-list session captiveportal6 +! +! +aaa tacacs-accounting + + +controller-ip vlan 35 +datapath energy-efficiency +kernel coredump +no kernel printk +interface mgmt + shutdown +! + +vlan 1 +! +vlan 35 +! + + +interface gigabitethernet 0/0/0 + trusted + trusted vlan 1-4094 + no poe + switchport mode access + switchport access vlan 35 + switchport trunk allowed vlan 1-4094 + no spanning-tree +! + +interface gigabitethernet 0/0/1 + shutdown + trusted + trusted vlan 1-4094 + no poe + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 + no spanning-tree +! + +interface port-channel 0 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 1 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 2 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 3 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 4 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 5 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 6 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface port-channel 7 + switchport mode access + switchport access vlan 1 + switchport trunk allowed vlan 1-4094 +! + +interface vlan 35 + ip address 10.1.35.23 255.255.255.0 +! + +interface vlan 1 +! + +! +! +ip default-gateway 10.1.35.1 +ip route 10.1.35.33 255.255.255.255 ipsec default-psk-redundant-conductor-ipsecmap +ip nexthop-list load-balance-gateways +! +ip nexthop-list load-balance-ipsecs +! +ip nexthop-list traditional-ipsecs +! + +crypto isakmp policy 20 + encryption AES256 + authentication pre-share +! + +crypto isakmp policy 10001 + authentication pre-share +! + +crypto isakmp policy 10002 + encryption AES256 + authentication rsa-sig +! + +crypto isakmp policy 10003 + encryption AES256 + authentication pre-share +! + +crypto isakmp policy 10004 + version v2 + encryption AES256 + authentication rsa-sig +! + +crypto isakmp policy 10005 + encryption AES256 + authentication pre-share +! + +crypto isakmp policy 10006 + version v2 + encryption AES128 + authentication rsa-sig +! + +crypto isakmp policy 10007 + version v2 + encryption AES128 + authentication pre-share +! + +crypto isakmp policy 10008 + version v2 + encryption AES128 + hash sha2-256-128 + group 19 + authentication ecdsa-256 + prf PRF-HMAC-SHA256 +! + +crypto isakmp policy 10009 + version v2 + encryption AES256 + hash sha2-384-192 + group 20 + authentication ecdsa-384 + prf PRF-HMAC-SHA384 +! + +crypto isakmp policy 10012 + version v2 + encryption AES256 + authentication rsa-sig +! + +crypto isakmp policy 10013 + encryption AES256 + authentication pre-share +! + +crypto isakmp policy 10014 + version v2 + encryption AES256 + hash sha2-256-128 + group 14 + authentication pre-share + prf PRF-HMAC-SHA256 +! + +crypto isakmp policy 10015 + version v2 + encryption AES128 + hash sha2-256-128 + group 14 + authentication rsa-sig + prf PRF-HMAC-SHA256 +! + +crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmac +crypto ipsec transform-set default-boc-bm-transform esp-aes256 esp-sha-hmac +crypto ipsec transform-set default-1st-ikev2-transform esp-aes256 esp-sha-hmac +crypto ipsec transform-set default-3rd-ikev2-transform esp-aes128 esp-sha-hmac +crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac +crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac +crypto dynamic-map default-rap-ipsecmap 10001 + version v2 + set transform-set "default-gcm256" "default-gcm128" "default-rap-transform" +! + +crypto dynamic-map default-rap-ipsecmap-gcm 10001 + version v2 + set transform-set "default-gcm256" "default-gcm128" +! + +crypto dynamic-map default-rap-ipsecmap-aes 10001 + version v2 + set transform-set "default-rap-transform" +! + +crypto dynamic-map default-dynamicmap 10000 + set transform-set "default-transform" "default-aes" +! + +crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmap +crypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmap +localip 10.1.35.14 ipsec *redacted* +localip 10.1.35.11 ipsec *redacted* +localip 10.1.35.12 ipsec *redacted* +crypto isakmp eap-passthrough eap-tls +crypto isakmp eap-passthrough eap-peap +crypto isakmp eap-passthrough eap-mschapv2 + +vpdn group l2tp +! + +ip dynamic-dns interval 900 + + + + + + + +snmp-server community "mickey03" +vpdn group pptp +! + +tunneled-node-address 0.0.0.0 + +adp discovery disable +adp igmp-join disable +adp igmp-vlan-id 0 + +ap flush-r1-on-new-r0 disable +amon msg-buffer-size 1264 +amon udp 0 +mgmt-server primary-server 10.1.35.10 profile default-amp transport udp + + + +ssh mgmt-auth public-key +ssh mgmt-auth username/password +mgmt-user admin root ******************** +mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon read-only +mgmt-user ssh-pubkey client-cert master-ssh-pub-cert seamless-logon-w standard + +ntp + + + +database synchronize period 60 +ip mobile domain default +! +ip mobile domain default +! + +ip igmp +! + +ipv6 mld +! + +firewall + prohibit-ip-spoofing + attack-rate grat-arp 50 drop + session-idle-timeout 16 + cp-bandwidth-contract untrusted-ucast 9765 + cp-bandwidth-contract untrusted-mcast 1953 + cp-bandwidth-contract trusted-ucast 98304 + cp-bandwidth-contract trusted-mcast 1953 + cp-bandwidth-contract route 976 + cp-bandwidth-contract sessmirr 976 + cp-bandwidth-contract vrrp 512 + cp-bandwidth-contract arp-traffic 976 + cp-bandwidth-contract l2-other 976 + cp-bandwidth-contract auth 976 + cp-bandwidth-contract ike 1953 + cp-bandwidth-contract udp-traffic 204800 + cp-bandwidth-contract ippkt-err 128 + amsdu +wireless-bridge-aging + session-tunnel-fib + optimize-dad-frames + deny-needfrag-df-ipsec +! +ipv6 firewall + ext-hdr-parse-len 100 + dpi-classif-cache 0 +! +! + +! + +! +firewall cp + ipv4 permit any proto 6 ports 9190 9190 + ipv6 permit any proto 6 ports 9190 9190 + ipv6 permit any proto 6 ports 15260 15260 + ipv6 deny any proto 0 ports 0 65535 +! +ip domain lookup +! +country US +change-config-node / +aaa authentication mac "default" +! +aaa authentication dot1x "default" +! +aaa authentication dot1x "default-psk" +! +aaa authentication-server tacacs "ClearPass A" + host "10.1.40.116" + key *redacted* + session-authorization +! +aaa authentication-server tacacs "ClearPass B" + host "10.1.40.117" + key *redacted* + session-authorization +! +aaa authentication via global-config +! +scheduler-profile "default" + queue-weights q0 0 q1 0 q2 0 q3 0 + priority-map q0 "6 7" q1 "4 5" q2 "2 3" q3 "0 1" +! +aaa server-group "default" + auth-server Internal position 1 + set role condition role value-of +! +aaa server-group "internal" + auth-server Internal position 1 + set role condition Role value-of +! +aaa profile "default" +! +aaa profile "default-dot1x" + authentication-dot1x "default" + dot1x-default-role "authenticated" +! +aaa profile "default-dot1x-psk" + authentication-dot1x "default-psk" +! +aaa profile "default-iap-aaa-profile" + initial-role "default-iap-user-role" + no wired-to-wireless-roam + no devtype-classification +! +aaa profile "default-mac-auth" + authentication-mac "default" + mac-default-role "authenticated" +! +aaa profile "default-open" +! +aaa profile "default-tunneled-user" + initial-role "guest" + no wired-to-wireless-roam +! +aaa profile "default-xml-api" +! +aaa profile "NoAuthAAAProfile" +! +aaa authentication captive-portal "default" +! +aaa authentication wispr "default" +! +aaa authentication vpn "default" +! +aaa authentication vpn "default-cap" + default-role "sys-ap-role" + server-group "internal" +! +aaa authentication vpn "default-hp-switch" +! +aaa authentication vpn "default-iap" +! +aaa authentication vpn "default-rap" +! +aaa authentication mgmt +! +aaa authentication stateful-ntlm "default" +! +aaa authentication stateful-kerberos "default" +! +aaa authentication stateful-dot1x +! +aaa authentication via auth-profile "default" +! +aaa authentication wired +! +aaa authentication via connection-profile "default" +! +aaa authentication via web-auth "default" +! +web-server profile + cipher-suite ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA + switch-cert "scsd_wc2_full_2025" +! +guest-access-email +! +aaa password-policy mgmt +! +control-plane-security +! +ids management-profile +! +ids wms-general-profile +! +ids wms-local-system-profile +! +ids ap-rule-matching +! +valid-network-oui-profile +! +traceoptions +! +activate +! +file syncing profile +! +ucc skype4b +! +ucc teams +! +ucc webrtc +! +ucc custom-sip +! +ucc rtpa-config +! +ucc jabber +! +ucc sip +! +ucc h323 +! +ucc vocera +! +ucc sccp +! +ucc noe +! +ucc facetime +! +ucc ich +! +ucc session-idle-timeout +! +ucc wificalling +! +license-pool-profile-root + pefng-licenses-enable + rfp-license-enable +! +papi-security +! +est profile "default" +! +aruba-central +! +wlan sae-profile +! +ifmap cppm +! +pan profile "default" +! +pan-options +! +websocket clearpass +! +pan active-profile +! +openflow-profile +! +openflow-controller +! +sdwan-profile +! +dump-auto-uploading-profile "default" +! +ap regulatory-domain-profile "default" + country-code US + valid-11g-channel 1 + valid-11g-channel 6 + valid-11g-channel 11 + valid-11a-channel 36 + valid-11a-channel 40 + valid-11a-channel 44 + valid-11a-channel 48 + valid-11a-channel 149 + valid-11a-channel 153 + valid-11a-channel 157 + valid-11a-channel 161 + valid-11a-channel 165 + valid-11g-40mhz-channel-pair 1-5 + valid-11g-40mhz-channel-pair 7-11 + valid-11a-40mhz-channel-pair 36-40 + valid-11a-40mhz-channel-pair 44-48 + valid-11a-40mhz-channel-pair 149-153 + valid-11a-40mhz-channel-pair 157-161 + valid-11a-80mhz-channel-group 36-48 + valid-11a-80mhz-channel-group 149-161 + valid-11a-160mhz-channel-group 36-64 +! +ap wired-ap-profile "default" +! +ap wired-ap-profile "NoAuthWiredAp" + wired-ap-enable +! +ap enet-link-profile "default" +! +ap mesh-ht-ssid-profile "default" +! +ap lldp med-network-policy-profile "default" +! +ap mesh-cluster-profile "default" +! +ap mesh-accesslist-profile "default" +! +ap wifi-uplink-profile "default" +! +ap multizone-profile "default" +! +ap usb-acl-prof "default" +! +dump-collection-profile "default" +! +ap lldp profile "default" +! +ap mesh-radio-profile "default" +! +ap usb-profile "default" +! +ap system-profile "default" + ap-console- password *redacted* +! +ap system-profile "NoAuthApSystem" + ap-console- password *redacted* +! +ap wired-port-profile "default" +! +ap wired-port-profile "NoAuthWiredPort" + wired-ap-profile "NoAuthWiredAp" + aaa-profile "NoAuthAAAProfile" +! +ap wired-port-profile "shutdown" + shutdown +! +gps service-profile "default" +! +ids general-profile "default" +! +ids rate-thresholds-profile "default" +! +ids rate-thresholds-profile "probe-request-response-thresholds" + channel-inc-time 30 + channel-threshold 350 + node-time-interval 10 + node-threshold 250 +! +ids signature-profile "AirJack" + frame-type beacon ssid AirJack +! +ids signature-profile "ASLEAP" + frame-type beacon ssid asleap +! +ids signature-profile "Deauth-Broadcast-From-Valid-AP" + frame-type deauth + dst-mac ff:ff:ff:ff:ff:ff + src-mac valid-ap + bssid valid-ap +! +ids signature-profile "default" +! +ids signature-profile "Disassoc-Broadcast" + frame-type disassoc + dst-mac ff:ff:ff:ff:ff:ff +! +ids signature-profile "Disassoc-Broadcast-From-Valid-AP" + frame-type disassoc + dst-mac ff:ff:ff:ff:ff:ff + src-mac valid-ap + bssid valid-ap +! +ids signature-profile "Netstumbler Generic" + payload 0x00601d 3 + payload 0x0001 6 +! +ids signature-profile "Netstumbler Version 3.3.0x" + payload 0x00601d 3 + payload 0x000102 12 +! +ids signature-profile "Null-Probe-Response" + frame-type probe-response ssid-length 0 +! +ids signature-profile "Wellenreiter" + frame-type probe-request ssid this_is_used_for_wellenreiter +! +ids impersonation-profile "default" +! +ids unauthorized-device-profile "default" +! +ids signature-matching-profile "default" + signature "Disassoc-Broadcast" +! +ids dos-profile "default" +! +ids profile "default" +! +rf dot11-60GHz-radio-profile "default" +! +wlan 6ghz-rrm-ie-profile "default" +! +rf arm-profile "arm-maintain" + no scanning +! +rf arm-profile "arm-scan" +! +rf arm-profile "default-6ghz" +! +rf arm-profile "default-a" +! +rf arm-profile "default-g" +! +rf ht-radio-profile "default-6ghz" +! +rf ht-radio-profile "default-a" +! +rf ht-radio-profile "default-g" +! +rf spectrum-profile "default-6ghz" +! +rf spectrum-profile "default-a" +! +rf spectrum-profile "default-g" +! +rf optimization-profile "default" +! +rf event-thresholds-profile "default" +! +rf am-scan-profile "default" +! +rf dot11a-radio-profile "default" + max-channel-bandwidth 40MHz +! +rf dot11a-radio-profile "rp-maintain-a" + arm-profile "arm-maintain" +! +rf dot11a-radio-profile "rp-monitor-a" + mode am-mode +! +rf dot11a-radio-profile "rp-scan-a" + arm-profile "arm-scan" +! +rf dot11g-radio-profile "default" +! +rf dot11g-radio-profile "rp-maintain-g" + arm-profile "arm-maintain" +! +rf dot11g-radio-profile "rp-monitor-g" + mode am-mode +! +rf dot11g-radio-profile "rp-scan-g" + arm-profile "arm-scan" +! +rf dot11-6GHz-radio-profile "default" +! +wlan rrm-ie-profile "default" +! +wlan bcn-rpt-req-profile "default" +! +wlan dot11r-profile "default" +! +wlan tsm-req-profile "default" +! +wlan ht-ssid-profile "default" +! +wlan he-ssid-profile "default" +! +wlan hotspot anqp-venue-name-profile "default" +! +wlan hotspot anqp-nwk-auth-profile "default" +! +wlan hotspot anqp-roam-cons-profile "default" +! +wlan hotspot anqp-nai-realm-profile "default" +! +wlan hotspot anqp-3gpp-nwk-profile "default" +! +wlan hotspot h2qp-operator-friendly-name-profile "default" +! +wlan hotspot h2qp-wan-metrics-profile "default" +! +wlan hotspot h2qp-conn-capability-profile "default" +! +wlan hotspot h2qp-op-cl-profile "default" +! +wlan hotspot h2qp-osu-prov-list-profile "default" +! +wlan hotspot anqp-ip-addr-avail-profile "default" +! +wlan hotspot anqp-domain-name-profile "default" +! +wlan edca-parameters-profile station "default" +! +wlan edca-parameters-profile ap "default" +! +wlan mu-edca-parameters-profile "default" +! +wlan dot11k-profile "default" +! +wlan ssid-profile "default" +! +wlan hotspot advertisement-profile "default" +! +wlan hotspot hs2-profile "default" +! +wlan virtual-ap "default" +! +mgmt-server profile "default-acp" + stats-enable + tag-enable + sessions-enable + monitored-info-enable + monitored-info-del-enable + monitored-info-snapshot-enable + wids-event-info-enable + misc-enable + location-enable + uccmonitoring-enable + airgroupinfo-enable + wan-state +! +mgmt-server profile "default-ale" + stats-enable + tag-enable + sessions-enable + misc-enable + location-enable + uccmonitoring-enable +! +mgmt-server profile "default-amp" + stats-enable + tag-enable + sessions-enable + user-visibility-enable + misc-enable + location-enable +! +mgmt-server profile "default-controller" + stats-enable + tag-enable + sessions-enable + user-visibility-enable + misc-enable + location-enable + uccmonitoring-enable + airgroupinfo-enable + wan-state + ap-stats +! +mgmt-server profile "default-niara" + no generic-amon-enable + sessions-enable + no inline-dhcp-stats + no inline-ap-stats + no inline-auth-stats + no inline-dns-stats +! +ap authorization-profile "default" + ap-authorization-group "NoAuthApGroup" +! +ap provisioning-profile "default" +! +rf arm-rf-domain-profile +! +ap am-filter-profile "default" +! +ap spectrum local-override +! +airmatch profile +! +ap-lacp-striping-ip +! +ap general-profile +! +ap deploy-profile +! +ap provisioning-rule "PSLA" + condition network 10.3.35.0 24 + action ap-group "APG03Fowler" +! +airslice-profile "default" +! +ap provisioning-rules + provision-rule "PSLA" priority 1 +! +ap-group "APG33Lemoyne" +! +ap-group "default" +! +ap-group "NoAuthApGroup" + enet1-port-profile "NoAuthWiredPort" + enet2-port-profile "NoAuthWiredPort" + enet3-port-profile "NoAuthWiredPort" + enet4-port-profile "NoAuthWiredPort" + ap-system-profile "NoAuthApSystem" +! +airgroupprofile service "default-airplay" + id "_airplay._tcp" + id "_appletv-v2._tcp" + id "_raop._tcp" + description "AirPlay" +! +airgroupprofile service "default-airprint" + id "_canon-bjnp1._tcp" + id "_fax-ipp._tcp" + id "_http-alt._tcp" + id "_http._tcp" + id "_ica-networking._tcp" + id "_ica-networking2._tcp" + id "_ipp-tls._tcp" + id "_ipp._tcp" + id "_ipps._tcp" + id "_pdl-datastream._tcp" + id "_printer._tcp" + id "_ptp._tcp" + id "_riousbprint._tcp" + id "_universal._sub._ipp._tcp" + id "_universal._sub._ipps._tcp" + description "AirPrint" +! +airgroupprofile service "default-allowall" + description "Remaining-Services" +! +airgroupprofile service "default-amazontv" + id "_amzn-wplay._tcp" + description "Amazon fire tv" +! +airgroupprofile service "default-dial" + id "urn:dial-multiscreen-org:device:dial:1" + id "urn:dial-multiscreen-org:service:dial:1" + description "DIAL supported by Chromecast, FireTV, Roku etc" +! +airgroupprofile service "default-dlna-media" + id "urn:schemas-upnp-org:device:MediaPlayer:1" + id "urn:schemas-upnp-org:device:MediaRenderer:1" + id "urn:schemas-upnp-org:device:MediaRenderer:2" + id "urn:schemas-upnp-org:device:MediaRenderer:3" + id "urn:schemas-upnp-org:device:MediaServer:1" + id "urn:schemas-upnp-org:device:MediaServer:2" + id "urn:schemas-upnp-org:device:MediaServer:3" + id "urn:schemas-upnp-org:device:MediaServer:4" + id "urn:schemas-upnp-org:device:ZonePlayer:1" + id "urn:schemas-upnp-org:service:AVTransport:1" + id "urn:schemas-upnp-org:service:AlarmClock:1" + id "urn:schemas-upnp-org:service:ConnectionManager:1" + id "urn:schemas-upnp-org:service:ContentDirectory:1" + id "urn:schemas-upnp-org:service:DeviceProperties:1" + id "urn:schemas-upnp-org:service:GroupManagement:1" + id "urn:schemas-upnp-org:service:GroupRenderingControl:1" + id "urn:schemas-upnp-org:service:MusicServices:1" + id "urn:schemas-upnp-org:service:RenderingControl:1" + id "urn:schemas-upnp-org:service:SystemProperties:1" + id "urn:schemas-upnp-org:service:ZoneGroupTopology:1" + description "Media" +! +airgroupprofile service "default-dlna-print" + id "urn:schemas-upnp-org:device:Printer:1" + id "urn:schemas-upnp-org:service:PrintBasic:1" + id "urn:schemas-upnp-org:service:PrintEnhanced:1" + description "Print" +! +airgroupprofile service "default-googlecast" + id "_0F5096E8._sub._googlecast._tcp" + id "_17608BC8._sub._googlecast._tcp" + id "_233637DE._sub._googlecast._tcp" + id "_42B56469._sub._googlecast._tcp" + id "_668E5548._sub._googlecast._tcp" + id "_674A0243._sub._googlecast._tcp" + id "_85CDB22F._sub._googlecast._tcp" + id "_8DA7527D._sub._googlecast._tcp" + id "_8E6C866D._sub._googlecast._tcp" + id "_96084372._sub._googlecast._tcp" + id "_CA5E8412._sub._googlecast._tcp" + id "_CC1AD845._sub._googlecast._tcp" + id "_googlecast._tcp" + id "_googlezone._tcp" + description "GoogleCast supported by Chromecast etc" +! +airgroupprofile service "default-itunes" + id "_apple-mobdev._tcp" + id "_daap._tcp" + id "_dacp._tcp" + id "_home-sharing._tcp" + description "iTunes" +! +airgroupprofile service "default-remotemgmt" + id "_ftp._tcp" + id "_net-assistant._tcp" + id "_rfb._tcp" + id "_sftp-ssh._tcp" + id "_ssh._tcp" + id "_telnet._tcp" + description "Remote management" +! +airgroupprofile service "default-sharing" + id "_afpovertcp._tcp" + id "_odisk._tcp" + id "_xgrid._tcp" + description "Sharing" +! +airgroupprofile ipv6 "default" +! +airgroupprofile network "default" +! +airgroupprofile "default" + service "default-airplay" + service "default-airprint" + service "default-dial" + disallow-vlan type servers service "" + disallow-role "" type servers service "" +! +logging security subcat ids level warnings +logging security subcat ids-ap level warnings + +snmp-server enable trap +snmp-server host 10.1.35.10 version 2c mickey03 udp-port 162 +snmp-server trap source 0.0.0.0 +snmp-server trap disable wlsxAPBROADCASTSTORM +snmp-server trap disable wlsxAPIPConflict +snmp-server trap disable wlsxAPLoopDetected +snmp-server trap disable wlsxAPPortDown +snmp-server trap disable wlsxAPPortUp +snmp-server trap disable wlsxAPUSBPLUGALARM +snmp-server trap disable wlsxAceUsageThreshold +snmp-server trap disable wlsxAdhocNetwork +snmp-server trap disable wlsxAdhocNetworkBridgeDetectedAP +snmp-server trap disable wlsxAdhocNetworkBridgeDetectedSta +snmp-server trap disable wlsxAdhocUsingValidSSID +snmp-server trap disable wlsxAuthMaxAclEntries +snmp-server trap disable wlsxAuthMaxBWContracts +snmp-server trap disable wlsxAuthMaxUserEntries +snmp-server trap disable wlsxAuthServerIsUp +snmp-server trap disable wlsxAuthServerReqTimedOut +snmp-server trap disable wlsxAuthServerTimedOut +snmp-server trap disable wlsxCLEARPASSSERVERINVALID +snmp-server trap disable wlsxChannelChanged +snmp-server trap disable wlsxClientPskAuthenticationFailed +snmp-server trap disable wlsxClientRejectedByMaxClientCount +snmp-server trap disable wlsxClusterVlanProbeStatus +snmp-server trap disable wlsxCoverageHoleDetected +snmp-server trap disable wlsxDBCommunicationFailure +snmp-server trap disable wlsxDisconnectStationAttack +snmp-server trap disable wlsxDot1xThresholdLimitHit +snmp-server trap disable wlsxDot1xTotalLimitHit +snmp-server trap disable wlsxESIServerDown +snmp-server trap disable wlsxESIServerUp +snmp-server trap disable wlsxFanAbsent +snmp-server trap disable wlsxFanFailure +snmp-server trap disable wlsxFanTrayInserted +snmp-server trap disable wlsxFanTrayRemoved +snmp-server trap disable wlsxFlash1SpaceOK +snmp-server trap disable wlsxGBICInserted +snmp-server trap disable wlsxGhostTunnelclientAttack +snmp-server trap disable wlsxGhostTunnelserverAttack +snmp-server trap disable wlsxHaFailoverRequestFromAp +snmp-server trap disable wlsxHaFailoverTrigger +snmp-server trap disable wlsxHaIntercontrollerHbtMiss +snmp-server trap disable wlsxHaStandbyConnectivityState +snmp-server trap disable wlsxHaStandbyIpSentFailed +snmp-server trap disable wlsxHaState +snmp-server trap disable wlsxIpSpoofingDetected +snmp-server trap disable wlsxLCInserted +snmp-server trap disable wlsxLCRemoved +snmp-server trap disable wlsxLicenseExpiry +snmp-server trap disable wlsxLowMemory +snmp-server trap disable wlsxLowOnFlash1Space +snmp-server trap disable wlsxLowOnFlashSpace +snmp-server trap disable wlsxNAceUsageThreshold +snmp-server trap disable wlsxNDot1xThresholdLimitHit +snmp-server trap disable wlsxNDot1xTotalLimitHit +snmp-server trap disable wlsxNFanAbsent +snmp-server trap disable wlsxNLowOnFlash1Space +snmp-server trap disable wlsxNSwitchIPv6Changed +snmp-server trap disable wlsxNWebCCLicenseEnforcement +snmp-server trap disable wlsxOutOfRangeTemperature +snmp-server trap disable wlsxOutOfRangeVoltage +snmp-server trap disable wlsxPhonyBSSIDDetected +snmp-server trap disable wlsxPowerSupplyFailure +snmp-server trap disable wlsxPowerSupplyMissing +snmp-server trap disable wlsxProcessDied +snmp-server trap disable wlsxProcessExceedsMemoryLimits +snmp-server trap disable wlsxSCInserted +snmp-server trap disable wlsxSignatureMatch +snmp-server trap disable wlsxStaUnAssociatedFromUnsecureAP +snmp-server trap disable wlsxSwitchIPChanged +snmp-server trap disable wlsxSwitchIPv6Changed +snmp-server trap disable wlsxSwitchRoleChange +snmp-server trap disable wlsxTHERMALSHUTDOWN +snmp-server trap disable wlsxUserAuthenticationFailed +snmp-server trap disable wlsxUserEntryAuthenticated +snmp-server trap disable wlsxUserEntryChanged +snmp-server trap disable wlsxUserEntryCreated +snmp-server trap disable wlsxUserEntryDeAuthenticated +snmp-server trap disable wlsxUserEntryDeleted +snmp-server trap disable wlsxVrrpStateChange +snmp-server trap disable wlsxWebCCLicenseEnforcement + +process monitor log + +process monitor log +ale-configuration +! +conductor-redundancy + conductor-vrrp 35 + peer-ip-address 10.1.35.13 ipsec *redacted* +! +vrrp 35 + authentication ******** + ip address 10.1.35.33 + description "Secondary" + vlan 35 + no shutdown +! + +end