This discussion is locked

Ask the Expert: BYOD with Identity Services Engine

Unanswered Question
Jun 28th, 2013

Read the biowith Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
huangedmc Sun, 06/30/2013 - 23:53

hello Bernardo,

Could you please tell me the minimal version of Mac OSX that's supported for auto-provisioning / client onboarding?

We're running ISE 1.1.3, and were able to onboard Windows 7, Apple iOS, and Android devices, but not a MacBook in our tests.

The MacBook was quite old, so we'll find another Mac OSX device to test, but wanted to know what the minimal requirement is.

===

Also, we followed a Cisco BYOD guide to do onboarding for Android devices, by allowing tcp & udp ports 5228, 8889, and 8880 to Google subnets in the WLC re-direct ACL.

However, we found that's not enough, and had to also allow tcp 80 & 443, otherwise client Android deivce would not be able to connect to Google Play & download the Cisco network setup assistant.

This creates confusion for the end users, because they wouldn't get redirected when they browse to google.com, until they hit a non-Google URL.

Is there any way around this caveat?

I know it's not Cisco's fault that ports 80 & 443 are required for Google Play to work, but was just wondering if anyone's found a good way to work around this.

===

Because of the Android Google Play caveat above, we tried to use a different redirect ACL on WLC, just for Android devices, so that all the non-Android users would be redirected when they browse to google.com, as an attempt to cut down confusion (by not having permits to Google subnets in the RACL).

Unfortunately it's not working.

When Android users connect, WLC realizes it's supposed to use a different ACL called "ACL-REDIRECT-GOOGLE".

I can see it when I click into the client details on the WLC.

However, the ACL hitcount remains zero.

If you happen to know what's causing this issue on top your head because you've seen it before, please let me know.

Otherwise we can just open a TAC case, since it'll probably require some sort of debugging, which is hard to do through a NetPro forum.

===

thanks!

Kevin

begaspar Mon, 07/01/2013 - 03:07

Hello Kevin,

What Mac OS version were you running? It should be supported from Mac OS X 10.4:

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp269183

I've also found information that it's supported from 10.5.2 only (perhaps only applicable to Agent 4.9.x versions).

Regarding the Google play issues, the recommendation is to allow traffic to the IP addresses of the google play stores. You can verify your regional IP addresses with nslookup play.google.com. This will not interfere with the google page.

Regarding the ACL, if you do see it applied correctly on the WLC but there aren't any hits, the best is indeed to open a TAC case for the WLC.

Thank you and best regards,

Bernardo

huangedmc Wed, 07/10/2013 - 05:19

hi Bernardo,

Thanks for providing the link to the supported OS & Java versions, but it's for NAC/Clean Access.

We're seeking supported OS & Java versions for ISE client onboarding.

Is there a different URL, or the same system requirement applies for both NAC and ISE?

===

Also, we did open a TAC SR for the Google Play / WLC RACL issue, in case anyone was wondering.

Issue was two folds:

1. Bug on 7.2.111.3 - had to upgrade anchor WLC's to 7.4.100.60. (other versions may also work, but we went for the latest)

2. The redirect ACL also had to be present on the foreign WLC, in addition to anchor.

After above two steps were performed, WLC was able to properly use the correct redirect ACL when onboarding Android devices, and allow access to Google Play.

===

thx

Kevin

begaspar Wed, 07/10/2013 - 09:10

Hi Kevin,

I'm happy to hear the issue with Google Play was resolved ;-)

The Agent information is common to both ISE and Clean Access 4.9. As far as I know, this info is listed only in CCA documents but applies for ISE as well.

Thank you and best regards,

Bernardo

Amjad Abdullah Mon, 07/01/2013 - 00:57

Hello Bernardo,

How are you? Hope everything is OK.

As a new guy that wants to start using and configuring ISE, is there anything like "quick start guide" for configuration?
Or basic configuration examples?

I am aware that there is a user guide but from my experience it is not handy when you want quick hints only.

If there is something like config examples for the basic and most common scenarios that will be more useful and more time-saving.

Regrards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah Wed, 07/03/2013 - 03:44

Thank you Bernardo,

Thank you for the config examples link.

I understand that ISE is a complex product and is not really easy. But I was thinking if there is a guide or something for those people coming from ACS 5.x perspective.

The config examples are really helpful if followed to make one understand the configuration procedures.

Thank you.

Amjad

Rating useful replies is more useful than saying "Thank you"

salilai01 Mon, 07/01/2013 - 08:50

Hi Bernardo,

I'm very glad to know that I can ask all my questions to an expert in the ISE domain. 

For this topic, I have to make a matrix comparative between ISE on vmware and ISE on physical appliance, could you help me to present it as simple possible? my problem is that I don't have enough points of comparison

Thanks in advance

descalante2007 Mon, 07/01/2013 - 11:22

Hello Bernardo:

I have a couple of issues related to Guest Sponsor and Guest Activity

1) I already have the ISE communicating with the AD successfully. I also had modified the AuthC rules to validate that only my customer employees have access to the SPONSOR Portal. But the customer is worried about AD security; I understand LDAP is not secure so the option is to use LDAPS, but the customer does not like to provide us with the Certificate Root Certificate ... So the questions are, How dangerous can be the ISE vs AD connection? Is it really unsecure? What other options we may have?

2) The same customer likes to get guest activity reports (actually I just waiting to be allowed to access the ASA). The ISE is a 3315 model; I had read the manual indicating that automatic backups are done when the disk space reach 80% (default) and only last 90 days (default) are keeped on the system. The questions are about how apply this parameters in this model ... I mean 80% of 500 GB (factory HD) or 80% from something else ...

On the other hand could it be possible to set the ASA send syslog messages somewhere different to ISE and then the ISE retrieve the data to generate the guest activity report?

Regards.

begaspar Tue, 07/02/2013 - 09:45

Hello,

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

2) The backups are triggered when the MNT node's disk is 80% full.

ISE will not actively fetch the data for the guest activity report, the ASA must be configured to send the syslogs to ISE directly.

Thank you and best regards,

Bernardo

descalante2007 Tue, 07/02/2013 - 10:14

Thanks for your reply

you said:

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

The question is how is the traffic between ISE and DC protected? The customer request us to use LDAPS because they know the communication with AD is usually in clear text using LDAP ... is it right?

Best regards

Daniel

begaspar Thu, 07/04/2013 - 23:02

Hello Daniel,

The customer request us to use LDAPS because they know the communication with AD is usually in clear text using LDAP ... is it right?

LDAP is a protocol to communicate with directory services. LDAP sends sensitive information in clear text.

The directory service (DS) can be Microsoft AD or other vendor's own directory service implementation.

There are multiple protocols that communicate with DS.

Microsoft Active Directory has its own protocol to communicate with its own DS. This protocol is secure and encrypted. ISE is capable of using this protocol to communicated with Microsoft AD DS:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999

LDAPS is also secure and encrypted.

Thank you and best regards,

Bernardo

Manannalage ras... Tue, 07/02/2013 - 01:17

Hi

What are the main additional features of ISE 1.2 compare to the current version & when it is expect to release ?

Rasika

begaspar Tue, 07/02/2013 - 10:01

Hi Rasika,

In short, there will be many enhancements to existing features, such as:

  - Guest and Sponsor pages

  - Reports and Alarms

  - Live authentications page

  - NAC Agent

  - Performance and scalability

Some new things are also being added, for example:

  - Interoperability with MDM

  - MAB from non-Cisco switches

  - Wildcard certificates support

  - Support for Windows AD 2012

Were you looking for any particular enhancements?

I recommend going through the release notes once the release is available, for more information and an extensive list.

There is no clear release date yet, but it's expected to be available towards the end of the month/beginning of August. However, keep in mind it may be subject to delays depending on the dev test results.

Thank you and best regards,

Bernardo

Octavian Szolga Tue, 07/02/2013 - 10:41

Hello Bernardo,

Can you please detail how can one configure posture for remote access users using iPEP and an ASA that is providing RA VPN services, internet connectivity for internal users and resource publishing by using DMZ?

I'm asking this in the context in which the ASA has to send the traffic from RA VPN pool to inside network and only this traffic by the means of iPEP, and ASA does not support Policy Based Routing so that the routing decision to be made using the source IP address.

Any thoughts/ideas? Is there any Cisco tehnical support team /portal for cases like this one?

I've also wrote a fairly long post about this problem, but nobody had the pleasure or willing to answer.

(https://supportforums.cisco.com/thread/2224538)

begaspar Thu, 07/04/2013 - 23:09

Hello Octavian,

If I understand correctly, your main challenge is how to separate in ASA the traffic that needs to be sent directly from the traffic that needs to flow through IPEP.

For this, I'd suggest to post your question in an ASA forum. The ASA is out of my area of expertise, I don't know if this is possible to achieve.

Thank you and best regards,

Bernardo

radu.ioncu Wed, 07/03/2013 - 03:58

Hello Bernardo,

I am having issues with the Cisco NAC Agent popping up in my current ISE deployment. ISE version is 1.1.3 patch 2, and the deployed NAC agent version is 4.9.0.51.

The Cisco NAC agent has no problem popping - no preconfigured XML file - up with PC's connected via both Wi-Fi (WLC 4400) and wired (CAT4500 15.0.2 - SGA6) on VLANs with DHCP turned on. When I connect the PC - wired - to a VLAN with no DHCP server configured and with a static IP address, the NAC Agent does not pop up, and the PC is stuck in the Posture_Discovery_AuthZ phase.

This happens on the same switch, on the same port with the same configuration - the only difference being the VLAN swap (works with DHCP VLAN, doesn't work with STATIC IP VLAN).

Are there any known caveats for NAC Agent popping up with PC's with Static IP's set?

Thanks!

begaspar Wed, 07/03/2013 - 09:23

Hello Radu,

I'm not aware of any caveats for NAC Agent with static IP address.

When the Agent starts, it tries to discover the policy node like like this:

1. HTTP discovery probe on port 80 to discovery host, if one is configured.

2. HTTPS discovery probe on port 8905 to the discovery host, if one is configured.

3. HTTP discovery probe on port 80 to default gateway.

4. HTTPS reconnect probe on 8905 to previously contacted ISE policy node.

5. Repeat from 1.

As you don't have a discovery host configured, the first 2 steps are skipped. Then, the Agent should send the HTTP discovery probe on port 80 to the default gateway. This request should be redirected by the switch, with the redirect URL it receives from ISE.

I suggest checking:

  - client default gateway configuration

  - that the switch interface is getting the redirect URL

  - that the ACL redirects the HTTP traffic towards the ISE

Thank you and best regards,

Bernardo

Eduardo Aliaga Wed, 07/03/2013 - 23:55

Hello Bernardo

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Best regards

begaspar Thu, 07/04/2013 - 23:21

Hello Eduardo,

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

It depends. If you're talking about 802.1x you normally don't need to configure a discovery host. As part of the discovery process, the Agent will send a HTTP packet to its gateway.

If the redirection is properly configured and applied on the port, this request is redirected to the policy server which replies and initiates the posture assessment.

For VPN users with IPEP you need to enter only one discovery host. The recommendation is to NOT use ISE as a discovery host. Rather, it should be an IP/hostname that would trigger a redirection to the active policy node.

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Not that I know of.

Thank you and best regards,

Bernardo

radu.ioncu Thu, 07/04/2013 - 00:11

Hi Bernardo,

Thank you for the quick reply. After your answer, we realized that the issue wasn't related to DHCP, it was most likely a PC issue.

During the NAC Agent implementation, I have observed several cases of the NAC Agent not popping up, even though network configuration is OK (I always test with no Discovery Host configuration enabled - or I delete the .xml file). I have not been able to pinpoint the exact cause, though sometimes the NAC Agent does pop up if I restart PC's with the Ethernet cable connected.

We have also seen problems with users going from Wired to Wi-Fi and ending up stuck in Posture_Discovery phase. Do you have any insight into this issue, and why it seems to happen on a random basis? Would a NAC Agent update help with this issue? (currently running 4.9.0.51).

Thank you!

begaspar Wed, 07/10/2013 - 09:12

Hi Radu,

This would require analysis of the logs, I'd suggest opening a TAC case if the issue is persisting.

Thank you,

Bernardo

jcarrabine1 Wed, 07/03/2013 - 06:25

Hi Bernardo

I have two questions regarding my ISE implementaion

1) VLAN's won't move for wired VLAN's. Is ISE capable of doing this? If so what would cause them not to move. Wireless works fine.

2) I have a distributed deployment. The ISE primary admin and policy services node sit in one building on one network, and the secondary admin and policy services nodes sit in another building on a different network. I have a third building that I want to manage via ISE that is on a third network. What do I need to configure on the core in thier building to make their traffic direct to ISE. I already have ip helper-address configured for all VLAN's is there anything else?

Eduardo Aliaga Thu, 07/04/2013 - 00:04

Hello jcarrabine

ISE can change VLANs. You have to create the auhorization condition , the authorization profile, and then tie those elements in a single authorization rule.

About distributed deployment, the ip helper-address is useful when sending DHCP information to ISE in order to do profiling. If you want to do only authentication there's no need to redirect the user traffic to ISE. If you want to do posture then you need a redirect access-list in order to use the posture captive portal.

Please rate if this is helpful

jcarrabine1 Thu, 07/04/2013 - 10:56

Interesting. The method you described for moving the wired VLAN's is how I'm doing it for wired and wireless, but it's only working for the wireless VLAN's. I wonder if there is an IOS issue? Hmmm

jcarrabine1 Thu, 07/04/2013 - 14:31

Nope. that's not it. Running 12.2(33)SXI11

begaspar Thu, 07/04/2013 - 22:38

Hello jcarrabine,

Indeed it's possible to assign vlans with radius attributes. Are clients hitting the correct authorization profile?

Is authorization configured on the switch? It must have 'aaa authorization network' configured, otherwise radius attributes for 802.1x authentications aren't processed.

Does the vlan exist on the switch? What hostmode do you have configured on the interface?

Thank you and best regards,

Bernardo

jcarrabine1 Fri, 07/05/2013 - 03:30

I think it's the aaa authorization network command. I forgot that I had removed that command because when I put it in the switch it removed aaa authorization TACACS+ local so I wanted to research what kind of impact that would have on the network without the aaa authorization TACACS+ local. We do still use ACS for TACACS.

Thank you,

Jeff

Sander Magnin Thu, 07/04/2013 - 03:56

I would like to know if NIC bonding is on the road map of ISE?

begaspar Thu, 07/04/2013 - 22:48

Hello Sander,

To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.

Thank you and best regards,

Bernardo

Sander Magnin Thu, 07/04/2013 - 04:00

My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)

 

administration

 

monitoring

 

policy service

 

Machine VM   

 

primary  

 

Not enabled

 

enabled

 

Machine HW   

 

secondary

 

primary  

 

enabled

 
begaspar Thu, 07/04/2013 - 22:55

Hello Sander,

If I understand correctly, you want to run the primary administration node in a VM while having the secondary administration node + primary in an appliance. Your concern is how much disk space to allocate to the primary admin VM as you're limited to 300 GB.

Both servers will run as policy nodes.

Here you can find the recommended values for ISE VM Disk size, depending on their role:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_vmware.html#wp1110217

An admin role should have at least 200 GB, a policy node 100 GB, I'd go for the full 300 GB.

Thank you and best regards,

Bernardo

patel.dipesh Fri, 07/05/2013 - 03:58

Hello Gaspar,

I have few queries regarding ISE :

- Is ISE supporting virtual environment ?

- For the Virtual Desktop / Server will ISE help for posture assesment and enforcement?

- If new Machine is connected to network without any agent, what functions can ISE provide?

- How long it will take post installation of the Agent? Is it realtime ? is it configurable?

- What type of Notification ISE can provide in the case of no agent installed in the new Machine?

- Asset classification will be based on what? Is it based on which we have configured i.e. role, domain, IP etc ?

- Can ISE detect rougue AP ?

- Will ISE support virtual machines e.g. hypervisor?

- - If new Network device i.e. siwtch installed in network, will it automatically sync and begin working?

- ISE is capable of inteegration with Existing Symentac AV and SCCM product for the compliance?

- If agent installed, can it be possible for self-remediation ?

- No of end points supported by ISE?

- List of Third party end devices supported ?

Regards

henrikj Fri, 07/05/2013 - 05:26

Hi Bernado

While doing eap-chaining i change vlan, when user is posture compliant, works great...

But i also use roaming-profiles.

So  when i log off, the vlan changes back to default immediately, and  syncronization off roaming-profile fails, because of the vlan change.

I tryied th set the" vlan detect interva"l in the Nag-agent to 10sec, but it didn´t change anything.

Is it possible to have the switch or Anyconnect NAM client to delay the vlan change ??

Regards Henrik

begaspar Wed, 07/10/2013 - 09:20

Hello Henrik,

This question is more regarding 802.1x on the switch or AC/NAM. ISE isn't involved in this process, all it does is pass the vlan id to the switch after the client authenticates ;-)

When the user logs off, as soon as the switch receives the EAPOL-Logoff it will set the vlan back to the default one. As you say, potentially delaying the logoff from AC/NAM until the roaming profile is saved might work, but I'm not aware of any way of achieving this.

A potential workaround is to allow the needed traffic to save the roaming profiles on the default vlan. But if the client isn't able to renew its IP address it would probably fail as well. Did you try this?

Regardin the vlan detect interval in the NAC Agent, it wouldn't make delay the logoff process because:

1. NAC Agent doesn't participate in the 802.1x process, only in posture (vlan assignment, eap chaining - not part of the posture process)

2. This is a timer to set how often the NAC Agent searches for a network change, so it communicates with ISE using the correct IP address.

Thank you and best regards,

Bernardo

miovieira01 Sun, 07/07/2013 - 15:08

Hi Bernado, I hope you're very well.

So, I'd like to know if I can achieve any level of BYOD using Cisco ISE 3315 with Basic License.

Thank you!

begaspar Wed, 07/10/2013 - 09:30

Hi Milton,

If by BYOD you mean automatically enrolling and provisioning different kinds of devices, then no. With a base license you wouldn't be able to profile the clients nor automatically provision them.

If you mean bringing a personal device to the corporate environment, manually configuring it to access the network and using ISE as an authentication server, then the base license would be enough.

From the ordering guide:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/guide_c07-656177.html

---snip---

Advanced license features include device onboarding and provisioning, device profiling, posture services

---snip---

Thank you and best regards,

Bernardo

pathfindertech Mon, 07/08/2013 - 05:51

Hi Bernado,

            We are having CVP4.0(2) for our VOIP Communications, which Cisco has announced End of Life.

            We are having CCM version 7.1 and Unity VM 4.0.

            Now we need to upgrade our CVP to latest version , Please advice what will be the best solution to upgrade and renew our contract.

Thanks

begaspar Wed, 07/10/2013 - 09:32

Hello Syed,

This thread is for questions regarding ISE, which is a AAA server. I'd suggest either trying the voice tech forums or contacting your local Cisco partner or Cisco sales team for alternatives.

Thank you and best regards,

Bernardo

nurullahkazar Fri, 07/12/2013 - 01:48

Hello Bernardo,

I've wondering how we can solve MAR time issue?

If we use machine authentication in authorization policies and client does not shut their computers within the MAR time, it will be a problem.

Only way I know to prevent this is AnyConnect NAM module but if customer does not use this, we can not find any solution.

How we can proceed?

Thank you.

Nurullah Kazar

Actions

Login or Register to take actions

This Discussion

Posted June 28, 2013 at 4:54 PM
Stats:
Replies:41 Avg. Rating:4
Views:4381 Votes:0
Shares:0

Related Content

Discussions Leaderboard