cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18125
Views
15
Helpful
48
Comments
hkumarsh
Level 1
Level 1

In this video you will See -

1. Integration of ISE and WLC.

2. Basic configuration of WLC and ISE.

 

Cisco Identity Services Engine (ISE) is a next generation product that provides various types of solutions/services in a single box. Example – ACS, NAC, NAC Profiler, NAC Guest Portfolios.

 

PART 2:- https://supportforums.cisco.com/videos/2480

 

Cisco Identity Services Engine

Wireless LAN Controller

48 Comments
patrick.kofler
Level 1
Level 1

Hi Hemant,

thanks for this guide. I currently evaluate the ISE for our Wireless deployment and have a few questions.

I configured the following scenario.

On the WLC 7.0.116.0

- ACLs

- Radius NAC in the SSID

On the ISE

- Enabled HTTP, DHCP, Netflow and RADIUS probes

-  An authorization result for Quarantine VLAN with limited access ACL and  redirect to the client pre-posturing (Does the CPP acronym actually  stands for this?) webpage.

  Name is Unknown_Client and attributes are:

  Access Type = ACCESS_ACCEPT

  Tunnel-Private-Group-ID = 1:111

  Tunnel-Type=1:13

  Tunnel-Medium-Type=1:6

  cisco-av-pair = url-redirect-acl=Limited_Access

  cisco-av-pair = url-redirect= https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

- Profiling Policy

  Changed "Windows7-Workstation" Endpoint policy from Hirarchy to Create Matching Endpoint Policy

- Authentication policy

  1) If Wireless 802.1x allow protocols PEAP&EAP-TLS

  2) If WLC_WebAuth allow protocols PAP/ASCII

- Authorization policy with the rules in the following order (Currently Testing Only)

  1) If "Windows7-Workstation" then PermitAccess

  2) If Any and "Session:Posturestatus EQUALS Unknown" then Unknown_Client

This  scenario now looks the following. The user connects to the SSID "Test".  As his posture status is unknown he will be put into the quarantine  VLAN with the Limited_Access ACL on the WLC applied. As soon as he opens  up a browser and tries to open up a webpage he will get redirected to  the Temporary Notification webpage stating "the ISE is not able to apply  an access policy to the log-in session at this time". After some  seconds the client disconnects and regains connectivity to the WLAN  immediately again. This time he is put into the user VLAN. I suspect it  has something to do with the HTTP probe when accessing the ISE webpage  that he gets reprofiled.

He is now recognized as a Win7 workstation and thus has the PermitAccess permission.

What I now wanted to test is to test the NAC agent on the Win7 workstation.

The authorization policy looks as following

  1) If "Windows7-Workstation" and "Session:Posturestatus EQUALS Compliant" then PermitAccess

  2) If Any and "Session:Posturestatus EQUALS Unknown" then Unknown_Client

I deleted the endpoint as well as the WLAN session of my user to have clean starting conditions.

I  started up the NAC agent and connected to the "Test" SSID. During the  connection the posturing was taking place and turned out to be  successful. However afterwards I lost connection to the WLAN and had to  manually reconnect. I was again put into the quarantine VLAN. Checking  the endpoint in the ISE revealed that it was not accurately profiled  (recognized as a Microsoft-Workstation).

Is there a possibility for the NAC agent to communicate the OS to the ISE?

The only workaround I found out so far is to loosen up  the authorization policy to allow any identity group and require a  company specific attribute for posturing.

I also tried to make an  SSID limited approch by trying to set the attribute  "Radius:Called-Station-ID" as this contains the SSID name. However as  this is only part of the whole string (AP MAC+SSID) I only have the  choice of 3 operands EQUALS, NOT EQUALS, MATCHES.

Is there a possibility to somehow filter for only a part of the whole string?

Next step was the client provisioning feature. I  configured it to provide the NAC WebAgent. This also means that  connecting to the WLAN will forward you to the provisioning web page  instead of the temporaryNotification.html web page.

I shut  down the NAC agent on the test machine. I assumed that since I am going  to use the WebAgent the client will be profiled correctly as I have to  access the webpage on the ISE.

A HTTP probe should be taken.  However it turned out to be the same issue. The client only got profiled  as a Microsoft-Workstation, same as with the regular NAC agent.

Is the profiling via HTTP proble exclusive to the temporaryNotification.html?

Is there a way to access the the temporaryNotification.html for HTTP profiling parallel to the client provisioning webpage when client provisioning is enabled?

Also is it possible to customize the  Client Pre-Posturing  webpages (temporaryNotification.html,  errorPage.html, evaluation during  Posture)?

Is it possible to do HTTP profiling for guest access in order to determine the correct device type?

Thanks in advance!

Regards,

Patrick

Bijo Abraham
Level 1
Level 1

Hi Hemant, thanks a lot, I got the WLAN Controller upgraded to 7.0.220.0 and all working fine. I am able to connect to the network with ISE.

Another one for the ISE as it started working, can we have this configured without a posture, just to keep in mind about the deployment which will be with the AD user with company Laptop and AD user with BYOD. What will be the best method to start with, Do you have a full configuration guide for this.?

Thanks

hkumarsh
Level 1
Level 1

Hi Bijo,

you can use ISE without posturing as well. Sorry i do not know if there is any specific guide available...you will have to use ISE config guide.

Thanks

Hemant

yhamoudah
Level 1
Level 1

great videos

I could be authenticated ,however, I couldn't get to popup agent or even the posture through the web, why ?

vishalwaghmare
Level 1
Level 1

I am facing the same issue. I can authenticate fine but nothing for posture validation. I can see the request going to ISE as I had got the cert warning message but I dont get web agent after that.

hkumarsh
Level 1
Level 1

Hi Yhamoudah/Vishal,

so client is in "posture_req" state and not passing the traffic right ?

if yes plz check following things -

1. - has NAC agent been uploaded and mapped to the Identity Group.

2. - DNS configuration for ISE.

3. - If DNS is not possible then add ISE IP and name to Host file of the windows.

Thanks

vishalwaghmare
Level 1
Level 1

Hi Harsh,

1. Yes I have loaded the agent. In fact I have tried with both web agent and NAC agent as a test.

2. Where is the DNS server setting on ISE?

3. I do not think there is any problem in terms of DNS as on the client I could get the certificate (self-sign) from ISE. The url is ISEIP:port/uri and it then changes to 1.1.1.1:port/uri. Is this OK? I checked your second video and it shows 1.1.1.1 shows too.

hkumarsh
Level 1
Level 1

Hi Vishal,

You need DNS to resolve the URL that ISE return when client first time associate.....

configuration of DNS -

1. when you Intall ISE first time (wizard configuration).

2. there is a CLI on ISE - IP name-server ( like router/switch).

Please add ISE ip and name to Host file...then the client will get redirected page...

Thanks

yhamoudah
Level 1
Level 1

Hi Harsh,

that is really good and thnks for the videos it worked with me perfectlyI am trying something else here, I am trying to do a guest access configuration between WLC and ISE. everything seems to be fine and I could get the guest portal, entering the username and password but after I login it again redirected me to the same login guest page !!!!!

it seems that everytime it goes to the WLC and do the redirection to the main login page for the guest, how can I solve the issue ?

Regards,

hkumarsh
Level 1
Level 1

Hi,

sorry for delayed response....

1. are you able to solve the prob ?

2. are you using local database of ISE or AD ?

3. any error on web page ?

4. plz share ISE logs --- monitor ---> authentication.. ?

Thanks

Eric Lindsey
Level 1
Level 1

I have the evaluation version of the ISE running but under the Authorization Pofiles > Common Tasks I do not have an option for posture discovery or WLC.  Am I missing something?

hkumarsh
Level 1
Level 1

Hi Eric,

the option has been renamed. i hope you are using ISE 1.1

1. The option is called now "web authentication" ----> select Posture Discovery.

2. WLC (ACL) is renamed with "Airespace ACL Name"

Thanks

Eric Lindsey
Level 1
Level 1

Wow.  That worked perfectly.  Thank you for the quick response.  This video was great and very helpful.

Eric Lindsey
Level 1
Level 1

is there a quick and easy way to make a rule stating that all iphones are allowed or denied access?

hkumarsh
Level 1
Level 1

hey sorry for delayed response...hope you would have done then if not then you can try this -

1. Policy -- > Profiling --> Apple-Devices --> iPhone --> enable "Create Matching Identity Group".

2. Policy -- > Authorization --> make a rule on top of all rules for iPhone ---

Name - iPhone

Group - Apple-iPhone (it will be under end-points identity group-->profiled)

condition - leave it default

Permission - use "Deny profile"

let me know if it's not working

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

French webcast-routing