We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?
1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.
2. User will the other network and manually enter the SSID string.
3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials
4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.
5. Posture will begin and check for the compliance.
6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.
Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?
I bet your users hate this. Disabling the ssid broadcast provides no security benefit, particularly given the other components you are putting in place. Why make your users go through all that? Plus there are some devices that don't work particularly well with the broadcast turned off even if you input the ssid. Give people a break and let the systems do the work.
•If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.
•Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.
Step 4Enter an optional Description for the Native Supplicant Profile.
Step 5Select an Operating System for this profile.
Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
Step 7Choose the Allowed Protocol for the device profile.
Step 8Enable or disable other
Optional Settings as appropriate for this profile.
You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...