Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSID with preshared key + ISE

Hi,

We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?

Current scenario:

1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.

2. User will the other network and manually enter the SSID string.

3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials

4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.

5. Posture will begin and check for the compliance.

6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.

Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?

3 REPLIES
Cisco Employee

Re: SSID with preshared key + ISE

You can only have psk or dot1x auth at layer 2.

Sent from Cisco Technical Support iPhone App

Re: SSID with preshared key + ISE

I bet your users hate this. Disabling the ssid broadcast provides no security benefit, particularly given the other components you are putting in place. Why make your users go through all that? Plus there are some devices that don't work particularly well with the broadcast turned off even if you input the ssid. Give people a break and let the systems do the work.

Sent from Cisco Technical Support iPad App

New Member

SSID with preshared key + ISE

Creating Native Supplicant Profiles

Before You Begin

•If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.

•Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.

Step 1Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2Choose Add > Native Supplicant Profile.

Step 3Specify a Name for the agent profile.

Step 4Enter an optional Description for the Native Supplicant Profile.

Step 5Select an Operating System for this profile.

Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).

Step 7Choose the Allowed Protocol for the device profile.

Step 8Enable or disable other

Optional Settings as appropriate for this profile.

You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.

1067
Views
0
Helpful
3
Replies
CreatePlease to create content