This discussion is locked

Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

Unanswered Question
Sep 21st, 2012

With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   

Read the bioRead the bio

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 

Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.

Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 

Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.

Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  

Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
3 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3.7 (3 ratings)
petnugen Fri, 09/21/2012 - 13:53

I think the ISE is excellent, however I think there is a real need to get some documentation on Wireless scenarios.

Some of the documentation is written around ISE code 1.0 WLC code 7.0 others is written around ISE 1.1.1 and code 7.2. The ISE is really starting to come in now and we have two different configurations die to the CoA availability in code 7.2.

I intend to play with ISE this weekend and look at CWA, LWA and 802.1x. It looks like the MIDAS doc may be really good but not worked through it yet.

hobbe Sat, 09/22/2012 - 14:29

Some questions

1) is there a  good walkthrough explaining the different mechanisms working together in ISE and WLC ?

things like whitepapers and example configurations of setups ?

2) Are there any plans on setting in SMS 2 factor authentication support in the ISE ?

(its a problem and nuisance to have several different tacacs servers when it should suffice with one)

3) Are there any good references covering the BYOD and the different pifalls such as legal requirements and responsibilities.

Regards

Hobbe

jideji Sun, 09/23/2012 - 16:46

Hi Hobbe,

Yes, there are configuration documents with screen shots that shows ISE and wireless integration. Please the below link is an example of such document in accordance with the cisco validated design program. When you say SMS 2 factor  authentication, are you looking for out of band SMS authentication for phonefactor SMS.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

hobbe Tue, 09/25/2012 - 02:08

Hi

Sorry for the delay in my response.

Thank you for the Link, there are some nice things in there.

Regarding SMS

Yes out of band communication.

What I am looking for in the ISE is a solution that I can connect my own SMS Modem or a link to a webbased SMS service provider and send out the SMS directly from the ISE server.

Today we have to use another AAA solution.

so we have Windows domain, Cisco ISE and a third party AAA radius server that connects the two sending out SMS and so on.

Not a optimal solution.and it sometimes has problems.

It would be so much nicer and stramlined setup if we could have the SMS functionality in the ISE instead of another AAA equipment.

Thank you for your response

Regards

Hobbe

jideji Tue, 09/25/2012 - 11:55

Hobbe,

This is not supported by ISE today, however if you send me your company name  and business requirement I can reach out to my ISE business unit to follow-up on this.  Thanks

You can send the above info to my email address.

My email: jideji@cisco.com

rihamby Mon, 09/24/2012 - 16:20

I agree, many of the more complete docs are v1.0 based, and the v1.1 and 1.1.1 updates are required to get the 'whole picture' at times.  As you come across documents that have not been updated for the current versions or would be good candidates, be sure to fill out the Feedback section in the left margin - we read that information.

Thanks !

parvezahmad90@g... Thu, 09/27/2012 - 11:23

Hi Richard,

Could you please provide the links where we can deployed and configure ISE, TrustSec and SGT simultaneously?

Thanks,

Parvez

rihamby Thu, 09/27/2012 - 13:32

Hi Parvez,

In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks.  And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.

TrustSec Home Page

http://www.cisco.com/en/US/partner/netsol/ns1051/index.html

http://www.cisco.com/en/US/partner/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf

I find this page very helpful as a top-level start to what features and capabilities exist per device:

http://www.cisco.com/en/US/partner/solutions/ns170/ns896/ns1051/trustsec_matrix.html

The TS 2.1 Design Guides

http://www.cisco.com/en/US/partner/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

DesignZone has some updated docs as well

http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng

As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :

http://www.cisco.com/en/US/partner/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

rihamby Thu, 09/27/2012 - 14:05

OOPS !!

I will repost the whole messaqge with the correct external URL's:

In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.

TrustSec Home Page

http://www.cisco.com/en/US/netsol/ns1051/index.html

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf

I find this page very helpful as a top-level start to what features and capabilities exist per device:

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

The TS 2.1 Design Guides

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

DesignZone has some updated docs as well

http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng

As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :

http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

martinwisely2 Wed, 09/26/2012 - 02:01

We've got a variety of controller hardware the majority of which is WISM1s (10 WISM1s, 2 WISM2s and 2 5508s). Most of the information on BYOD that I've seen (including the two documents linked to in this discussion) are focused on the features of newer controllers.

What's the best way for us to do BYOD given that we've got to have a consistent approach across all controllers?

Thanks

rihamby Wed, 09/26/2012 - 09:27

Hi Martin,

There is an intersection of terms, features, and support at this point in time.  Your question is a great one - and not one that can be answered definitively for all sceanrios.

The BYOD industry buzzword has multiple meanings in  the context it's used.  The differentiators surround what features are  possible in each scenario, and matching them to the requirements.  As  you see, Cisco has (in a way) drawn a line stating where our  'fullest-featured' BYOD wireless solution starts - WLC code 7.2.110.0  and ISE 1.1.1.  Does this mean you can't do 'BYOD' unless you have these  versions ?  Not at all - we've all been doing BYOD in some form since  the first person dialed-in to our networks.  But the drivers now are the  typical scenario where a user wants to bring their own mobile device,  access our secure network(s) and/or Internet, and we be able to enforce  security - device posture and access policies that match our security  policies.  As you moved down in code, certain features and capabilities become unavailable.

Ok, so - to your question:  the answer would be based  on what features you require and topology.  But in general, let's say  you want it 'all' - self-service registration, client  posture/remediation, profiling, etc.  In that case, we want a Central  Webauth (CWA) ISE 1.1.1 and the WLC needs to be running current code 7.2  or higher supported on the 2504/5508/7500/8500/WISM2.  Not all of your  controllers support this code, so if you need an ubiquitous WLAN that  spans the whole enterprise that we can 'BYOD-ize', local-mode  Auto-Anchoring may be the way to go.  In that scenario,  7.2+ capable  WLC(s) would be the anchor controller (2504's don't support  auto-anchor).  All BYOD functions on behalf of the client between ISE  and the WLAN would occur on that controller.  This is a nutshell answer -  bandwidth and other considerations would need to be considered.  But in general, it's the idea.

For other scenarios that don't require every BYOD  option, Local Webauth (LWA) using older code may work.  The design  guides we list above have a number of these.  For your specific  deployment, contact your partner or Cisco account team  for an asessment - there are numerous options.

Thanks,

Richard

edondurguti Wed, 09/26/2012 - 22:11

Hi guys,

Based on your experience what is the workaround for the following:

I have WLC 7.3 + ISE 1.1.1 no posture yet, just authentication and profiling -  very simple.

I have two ise appliances ISE1.mycompany has PRIMARY admin/policy and ISE2.mycompany has PRIMARY monitoring rest is secondary, as I think this would take some load off of primary ise.

Based on INTEL/DELL mac address I allow access to corporate network.

Based on APPLE-DEVICE I set clients on vlan 2

makes the authz rules look like this

1.)  IF INTEL/DELL and AD/users = Permit_Access

2.)  IF APPLE-DEVICE and AD/users/spec = vlan2

3.)  if no match then =DennyAccess

And here we go first time users connects to SSID = Corporate with their Dell/Intel laptop.

Enters password username and so on - Access Denied

(on ISE i see Default deny at the end RULE 3 being used)

User tries again - Access Granted RULE 1 being used

First time apple-device user tries to login - Access Denied

On ISE i see the same thing

user tries again, rule number 2 being used.

Any Suggestions?

This is one time only for that device and has no problem after that once it's in endpoint database, but with 10k users that's a problem for the help desk.

jideji Fri, 09/28/2012 - 12:12

Hi Edondurguti,

What identity store are you using to authenticate these users? Do you have them manually imported into ISE, or you are using the dynamic with the help of profiling.  If you are using the dynamic, I have seen a known delay between when the device is profiled and when the endpoint goes through authorization. Therefore you will hit the deny access first since the device is not profiled yet to the correct identity store. Please let me know your setup in regard to identity store.

edondurguti Fri, 09/28/2012 - 12:16

HI Jideji

Thanks for your reply, I am using Active Directory store, I don't have them manually imported into ISE or anything.

I have tried using local store on ISE but it would not help, same thing would happen, it's kinda delayed.

Is there anything I can do to overcome this delay or should I just live with the fact that users will have to try twice for once in their life .

patrick.kofler Thu, 09/27/2012 - 00:51

Hi,

I wanted to ask, if there will ever be the possibility in ghe ISE to customize the NMAP database in order to manually add new services to scan.

Regards,

Patrick

apatel@bma.org.uk Thu, 09/27/2012 - 08:14

Hi,

We are having problem with Windows + PEAP + LDAP on Cisco Secure ACS 5 because windows doesn't support

PEAP  EAP-GTC out of the box. So we have to get around by provinding a guest  wireless with webauth only because of the windows machines.

Can you confirm that ISE allow to get round this issue ? I.E we can authenticate windows users using

802.1x and an ldap database without doing anything on the windows side ?

Thanks!

rihamby Thu, 09/27/2012 - 14:01

Hi Alkesh,

802.1x specifically requires a supplicant on the client to work, so there's no way to do 'passive' 802.1x without a supplicant being configured.  With ISE, you have the option of doing client provisioning/posture/remediation, so you may be able to provide the clients with the needed resources.

Thanks,

RIchard

apatel@bma.org.uk Fri, 09/28/2012 - 03:46

Thanks for the answer, but android and IOS devices as well as linux and Mac OS do not need any specific configuration. So now, whether those devices already have a supplicant that supports 802.1x or whaterver else, there is no need to confuigure them ! They get the certificate and enter a login and password once, and that's it.

And as far as I am aware, Microsoft does the same thing, but it only works with AD because ldap doesn't work with MSCHAP v2

So maybe I should rephrase my question. Can this product use an LDAP database and authenticate widows clients ?

rihamby Fri, 09/28/2012 - 12:40

Hi Alkesh,

Yes - I may have misunderstood your question,  I  thought you were asking if there was a way to by-pass the Windows  supplicant and perform 802.1x PEAP-GTC against ISE if the Windows  supplicant is missing the GTC plugin.

Many of the more  intelligent supplicants auto-configure based on the security type  detected (very nice feature).  They still need to be able to support the  EAP type and inner method the RADIUS server has available, thoguh.  For  example (as you pointed out), an iPad can automatically utilize EAP-GTC  and not require PEAP/MS-CHAPv2 (as long as the RADIUS server is  configured for GTC).

So - as you ask, can ISE perform LDAP authentication with Windows devices ?  The rules are essentially the same for ACS5 and ISE when it comes to using an LDAP external identity store.   If the inner method between supplicant and RADIUS is MS-CHAPv2 (which is  typical PEAP), we can't perform LDAP authentication. 

If the LDAP  server is able to return the user's password in clear-text, you can  perform Local EAP authentication on the WLC using an external LDAP  server (bypassing RADIUS).  AD can not be configured to do this, some  other LDAP servers can.  Hence why EAP-GTC is an often-deployed as  alternative when either the supplicant or server can't support  MS-CHAPv2.  But - as you are seeing, some supplicants don't have GTC  support by default so they will fail the PEAP/MS-CHAPv2 auth and EAP-GTC  isn't available as an alternative to them.

Are we on the same page or am I missing it again

apatel@bma.org.uk Tue, 10/02/2012 - 06:40

Hi Richard,

Thank you very much for the answer. I think you answered my question this time

I'm still investigation this product as I beliveve we will still benefit a lot from it in other area.

rihamby Thu, 09/27/2012 - 13:38

Hi All,

******  QUICK NOTE *****

We may answer your posts out-of-order as there are 3 of us responding - just FYI

Thanks !

apatel@bma.org.uk Fri, 09/28/2012 - 03:52

We also use our Cisco ACS for managing authentication on our switches and many other devices. So my other question is, can ISE replace our ACS in that case or do we still need it ?

Thank you !!

rihamby Fri, 09/28/2012 - 13:05

Hi Alkesh,

One of the biggest differences in ISE and ACS with repsect to device management is TACACS support.  ACS5 does TACACS, ISE does not.  If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs.  But personally, I think ACS is currently superior to ISE for this task.

Richard

shijogeorge Mon, 10/01/2012 - 09:39

Hi Richard,

Any plans to add TACACS support to ISE in near future?

TIA

Shijo George

rihamby Mon, 10/01/2012 - 10:07

Hi Shijo,

We understand there are plans to add TACACS to ISE at some point in the future, but there is no published commit for it. My guess would be 18 months or so, but features are always very dynaminc so check back. 

Emperor2000 Thu, 10/04/2012 - 10:07

Hello.

I have a question regarding WLC intergration wih ISE.

Iam looking into an application where you would want to have a wlc talking to an ISE appliance.

On the WLC there is one Guest SSID.

Authentication for this Guest SSID is tied to the ISE server.

I now want ISE to ask one of 2 radius servers for the authentication of the client.

The problem is how do i separate the 2 servers?

The radius servers are Windows Activedirectory servers with there radius service running.

There is no connection between the servers and they contain different users and such.

The function i want is for the ISE to choose radius server acording to user input besides SSID.

For instance say user brad in domain D1.local and andy in domain d2.local.

Is there a way that perhaps brad could typ brad@d1.local and andy type andy@d2.local and have them authoreised to the different radius servers? (Brad then is being authorised towards the first radius server and andy towards the second)

All this from the same SSID?

jideji Thu, 10/04/2012 - 16:26

Do you have two domains with trust relationship?  if yes,  then you can add one domain to ISE and have these users  authorized based on their group membership. On the other hand if you don't have trust relationship your best solution depends on authentication requirements and EAP methods.

Options:

EAP-GTC or EAP-TLS w/ LDAP

RADIUS Proxy

Emperor2000 Thu, 10/04/2012 - 22:51

Hello

No there isnt à trust relationship between the 2domains.

It is preferable to use radius in this application. The real question is wether i Can get the ise to chose radius server depending on user input for instance by adding the domain name after the username or something similar?

Actions

Login or Register to take actions

This Discussion

Posted September 21, 2012 at 11:12 AM
Stats:

Related Content

Discussions Leaderboard