×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco ISE 1.2.1 solution BYOD

Unanswered Question
Jun 23rd, 2014
User Badges:

Hi there. 

I wanna setup Cisco ISE 1.2.1 solution for my wireless users.The solution will have 2 SSID.

SSID: Guest 

This will be used with guest portal and self registration portal for guests. dedicated VLAN or dAcl will be applied

SSID:Employee 

This will be used for all corporate devices with corporate machine certificates (EAP-TLS) corporate dAcl will be applied (permit ip any any)

This will also be used for BYOD devices. All devices that dosent have corporate machine certificate needs to authenticate by PEAP and MSCHAPv2. The device will go trough self provisiong process and gets BYOD certificate from dedicated BYOD CA server by SCEP. dAcl will be applied that only gives access to the internet. 

 

I wanna hear about your experiences about this kind of setup. Pros and cons. What do you think? 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roger Base Wed, 06/25/2014 - 23:45
User Badges:

HI salodh.

I am not asking for guide for setup the BYOD. But more on experiences in setup for both EAP-TLS 802.1X and BYOD solution on same the same SSID with dAcl´s.

 

nspasov Thu, 06/26/2014 - 09:30
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

I have done several deployments similar to your example and it works as expected. Couple of things to keep in mind:

1. dACLs are not supported on the WLCs so you will have to use ACLs created on the WLCs directly

2. If you are using FlexConnect (Local Switching) you cannot use ACLs created on the WLC. You can only use dynamic VLAN assignment and then map the VLANs to FlexConnect ACLs

3. Android devices require access to google play to download the Cisco Network Assistant which is required for the BYOD process. Thus, I would recommend you create a separate policy for Android based devices. In addition, I would recommend running code 7.6 on the WLCs which allows you to use "DNS based ACL entries"

Hope this helps.

 

Thank you for rating helpful posts!

Roger Base Thu, 06/26/2014 - 12:47
User Badges:

Hi Neno. Thanks for your reply. Yes that´s correct. I need to specify the access list on the WLCs. Do you have experiences with the windows phones and BYOD? Will the that work like I devices or will make trouble like android?

nspasov Thu, 06/26/2014 - 12:55
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Windows Phone OS is currently not supported by the BYOD on-boarding with ISE. For those you should look into an MDM provider. 

Android on the other hand should work just fine. I haven't had any issues on-boarding those. You just need to give them access to GooglePlay Store. 

Roger Base Fri, 06/27/2014 - 04:35
User Badges:

Is Windows Phone OS really not supported with BYOD self provisiong on version 1.2.1 in 2014?

Is it possible to generate guest user account with self registration page without manually typing the MAC address? If yes this this can be solution for windows phones.

The goal is give internet access to the windows phones too.

Oh yeah its not so easy to just give access to googleplaystore :-) They have huge network /16 with mixed services. So I will need to open for there /16 network.

 

How will you make the solution if the requirement is to handle I devices, Windows, Androids and Windows for BYOD (internet access)?

 

BTW. Is it possible to have lists of users. 1 lists for guest (generated by the self registration page GUEST SSID with experiation time for 8 hours) and one list for all windows phone and other devices that cannot do CA BYOD where the device MAC addresses typed by a sponsor on the sponsor page with experiation time for unlimited for SSID: Employee ?

 

I know lot of questions but I really need to understand this setup from experienced guy :-)

nspasov Fri, 06/27/2014 - 14:43
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Question #1: That is correct. Now Windows Phone, Windows RT or Blackberry. It would be nice to support all platforms and devices but it appears that Cisco is only putting effort for those that have a good amount of market share. Windows Phone seems to be getting more popular so hopefully it will be supported soon

Question #2: I am not sure I fully understand. You should be able to perform guest self registration without the need of manually entering the device's mac address. Overall, I think the best option for such devices is to go through a MDM solution such as Airwatch, Mobile Iron, etc. If that is not an option then you could perhaps allow PEAP username/password and link that to a specific "Windows Phone BYOD" AD group and only place authorized users there. You can further lock down the authorization by making sure that the device used is "Profiled-Windows Phone"

Question #3: You don't have to permit the whole /16. Again, if you use 7.6 code you can add DNS entries to the ACL instead of IPs. Check the document below:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/W...

Question #4: I am a little bit confused between the requirements for the guest and employee SSID. To allow Windows Phone you can either use MDM or PEAP user auth (Example given in Qustion #2)

Hope this helps!

 

Thank you for rating helpful posts!

 

 

Roger Base Sun, 06/29/2014 - 06:51
User Badges:

Thanks for quick reply Neno. I appropriate that!

Just to make it clear. This solution is based in Wireless endpoints only. 

I am designing the solution for BYOD (Employee none-corporate devices), and Corporate access for Corporate device (laptops with machine certificates) on the same SSID.

All corporate device will use EAP-TLS with machine certificate authentication. (Cisco NAM module VS. Built in Windows Supplicant for eap-tls? What will you choice be?)  

Everything else that dosent have corporate certificate should automatically try PEAP (AD username & Pass) and MSCHAPv2 and go through self-provising page that provides BYOD certificate (via SCEP) to the endpoints and that should give internet access by BYOD_acl on the controller.  

The problem is now that there are Windows Phone OS as endpoints (no supplicant for Windows Phone OS as you told me). So I am trying to figure out how I can make solution for that. How can I use PEAP authentication without linking it to the self provising page as the other devices and how can I differentiate Windows Phone from other device to match a specific policy for windows phones only in Cisco ISE? 

I cannot use 7.6 code for the WLC because some stability problems with that code. 

I do not have any chance to implement MDM solution in this case. 

The Guest solution is quite forward in this scenario: 

Dedicated SSID and with Self registration page for all users (only for internet access and with limited profile live time).

 

 

 

 

 

nspasov Tue, 07/01/2014 - 15:17
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Yes, I am! Sorry for the delay response but I have been busy with work and some personal projects. My comments below:

All corporate device will use EAP-TLS with machine certificate authentication. (Cisco NAM module VS. Built in Windows Supplicant for eap-tls? What will you choice be?)  

Response : I personally prefer the local supplicant vs any third party supplicants. It is not that they don't work but it is just another piece of software that you have to distribute, patch, upgrade and configure. 

 

Everything else that dosent have corporate certificate should automatically try PEAP (AD username & Pass) and MSCHAPv2 and go through self-provising page that provides BYOD certificate (via SCEP) to the endpoints and that should give internet access by BYOD_acl on the controller.  

The problem is now that there are Windows Phone OS as endpoints (no supplicant for Windows Phone OS as you told me). So I am trying to figure out how I can make solution for that. How can I use PEAP authentication without linking it to the self provising page as the other devices and how can I differentiate Windows Phone from other device to match a specific policy for windows phones only in Cisco ISE? 

Response: Let me ask you this: If you are going to give BYOD devices only internet access why bother putting them through the BYOD/on-boarding flow and getting them certificates via SCEP? All modern devices out there (including Windows Phone) will perform PEAP just fine without the need of ISE on-boarding and/or certificate. So you can build your policy in a way where corporate devices with a certificate get full access while PEAP authenticated users get internet access only

 

Thank you for rating helpful posts!

Roger Base Wed, 07/02/2014 - 06:49
User Badges:

Hi Neno.

Fair Enough. Busy days :-)

You are totally right. Why encrypt connection from BYOD endpoint to Internet? I like you idea with PEAP authentication only for BYOD devices (AD username and password). I am going to try that out ( I know that is not as secure as EAP-TLS). Do you have ISE configuration example with that (screenshot of Authentication and authorization rules) with combination of EAP-TLS for Corporate devices. That will help me a lot.

Have you ever tried to use MPLS line for ISE Internal communcation between the nodes?

BTW. Is it possible to send the password by email/sms while creating guest account by Self Service?  I mean I don't want to show the password to the user on the Self Service webpage I want to send it by email or convert it to SMS by a EmailtoSMS gateway. (For extra security of the identity)

nspasov Wed, 07/02/2014 - 12:59
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

1. PEAP is definitely a protocol that is protected and secure. The difference from EAP-TLS is that it only requires a server-side certificate which is used to create the secure (TLS) tunnel. After the tunnel is build then credentials are passed via the inner method which is usually MS-CHAPv2:

http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

2. Once authentication happens then wireless traffic encryption would be handled by the encryption method chosen on the WLC which is usually AES:

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

3. I don't have a configuration example that I can share since there are many different variables that can alter the configurations. For instance, certificate templates being used, AD structure, certificates used for PEAP, etc. Below are some sample documentations that I found on Cisco's site. They reference ACS but they should still give you a good idea on what is needed:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113670-eap-authentication-00.html

https://supportforums.cisco.com/discussion/11567346/ise-and-eap-tls

I have also heard good things about Lab Minutes videos even though I have not watched them myself:

http://www.labminutes.com/video/sec/ISE

4. Yes, you can have ISE nodes communicate and sync over MPLS. You just need to make sure that you have enough bandwidth and that your round trip delay is less than 150ms5. I am not sure if it is possible NOT to show the guest credentials when registering for a guest account. I know they can be send via e-mail or sms but not aware of a way to prevent them from showing up on the screen.Thank you for rating helpful posts!
Roger Base Thu, 07/03/2014 - 02:25
User Badges:

Thank you for the information Neno!

Wait a second. If I use PEAP Mschapv2 for my BYOD devices. Do they really needs to configure there clients to authenticate with PEAP or can Operating System do this automatically when trying to connect to the SSID? 

I mean I have lot of different kind of users also some without technical knowledge. They don't know how to configure the client to do PEAP. Thats the challenge. I hope the OS can do this automatically when trying to connect to the SSID:

nspasov Thu, 07/10/2014 - 22:33
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Sorry for the delay but I was out of town for some training. The behavior would depend on the supplicant. However, usually, for user authentication you should not have a problem. When a user tries to join he/she should be simply prompted for his/hers username/password.

 

Thank you for rating helpful posts!

Actions

This Discussion