LAB-SW01#sh run Building configuration... version 16.12 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service compress-config service call-home no platform punt-keepalive disable-kernel-core ! hostname LAB-SW01 ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging snmp-authfail logging console emergencies ! aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius ! ! ! ! ! aaa server radius dynamic-author client 172.21.102.150 server-key 7 REMOVED ! aaa session-id common switch 1 provision ws-c3850-12s switch 2 provision ws-c3850-12s ! ! ! ! ! ip domain name REMOVED.local ! ! ! ip dhcp snooping vlan 102 login on-success log ! ! ! ! ! ! ! epm logging no device-tracking logging theft device-tracking tracking auto-source ! device-tracking policy DT-Policy-Test no protocol udp tracking enable ! ! crypto pki trustpoint TP-self-signed-821321701 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-821321701 revocation-check none rsakeypair TP-self-signed-821321701 ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! ! crypto pki certificate chain TP-self-signed-821321701 REMOVED ! ! dot1x system-auth-control license boot level ipservicesk9 ! ! diagnostic bootup level minimal ! redundancy mode sso ! ! ! ! ! transceiver type all monitoring ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description EWLC control, EWLC data, Inter FED class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 no ip address ! ! interface Port-channel1 description LAB-PA-01 switchport trunk native vlan 999 switchport trunk allowed vlan 99,101-107,109-112,201-220 switchport mode trunk ip dhcp snooping trust ! ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 description LAB-PA-01 - Eth2 switchport trunk native vlan 999 switchport trunk allowed vlan 99,101-107,109-112,201-220 switchport mode trunk ip flow monitor FLOWMONITOR input channel-group 1 mode active ip dhcp snooping trust ! interface GigabitEthernet1/0/6 description ISE-LAB_WebAuth-Test switchport access vlan 102 switchport mode access device-tracking attach-policy DT-Policy-Test authentication order mab authentication priority mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast spanning-tree bpduguard enable ! interface GigabitEthernet2/0/1 description LAB-PA-01 - Eth3 switchport trunk native vlan 999 switchport trunk allowed vlan 99,101-107,109-112,201-220 switchport mode trunk ip flow monitor FLOWMONITOR input channel-group 1 mode active ip dhcp snooping trust ! interface Vlan1 no ip address shutdown ! interface Vlan99 ip address 172.21.99.4 255.255.255.0 standby 0 ip 172.21.99.6 standby 1 ip 172.21.99.93 standby 1 priority 110 ! ip default-gateway 172.21.99.254 ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 172.21.99.254 ! ip access-list extended ACL-ALLOW-ALL 10 permit ip any any ip access-list extended ACL-WEBAUTH-REDIRECT 10 remark deny DNS from being redirected to address bug 10 deny udp any any eq domain 15 deny tcp any host 172.21.102.150 eq 8443 20 permit tcp any any eq www 30 permit tcp any any eq 443 ip access-list extended Pre-WebAuth-ACL_Test 2 permit udp any eq bootpc any eq bootps 3 permit udp any any eq domain 4 permit icmp any any echo 5 permit icmp any any echo-reply 10 permit tcp any host 172.21.102.150 11 permit tcp any any eq www 12 permit tcp any any eq 443 ! ip radius source-interface Vlan99 logging trap debugging logging origin-id ip logging source-interface Vlan99 logging snmp-trap emergencies logging snmp-trap alerts logging snmp-trap critical logging snmp-trap errors logging snmp-trap warnings logging snmp-trap debugging logging host 172.21.102.86 transport tcp port 514 logging host 172.21.106.21 ! ! ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include ! radius server ISE-LAB address ipv4 172.21.102.150 auth-port 1812 acct-port 1813 key 7 REMOVED ! ! control-plane service-policy input system-cpp-policy ! ! ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! netconf-yang end