cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20400
Views
66
Helpful
31
Replies

Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

ciscomoderator
Community Manager
Community Manager

With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   

Read the bioRead the bio

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 

Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.

Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 

Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.

Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  

Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

31 Replies 31

Peter Nugent
Cisco Employee
Cisco Employee

I think the ISE is excellent, however I think there is a real need to get some documentation on Wireless scenarios.

Some of the documentation is written around ISE code 1.0 WLC code 7.0 others is written around ISE 1.1.1 and code 7.2. The ISE is really starting to come in now and we have two different configurations die to the CoA availability in code 7.2.

I intend to play with ISE this weekend and look at CWA, LWA and 802.1x. It looks like the MIDAS doc may be really good but not worked through it yet.

hobbe
Level 7
Level 7

Some questions

1) is there a  good walkthrough explaining the different mechanisms working together in ISE and WLC ?

things like whitepapers and example configurations of setups ?

2) Are there any plans on setting in SMS 2 factor authentication support in the ISE ?

(its a problem and nuisance to have several different tacacs servers when it should suffice with one)

3) Are there any good references covering the BYOD and the different pifalls such as legal requirements and responsibilities.

Regards

Hobbe

jideji
Cisco Employee
Cisco Employee

Hi Hobbe,

Yes, there are configuration documents with screen shots that shows ISE and wireless integration. Please the below link is an example of such document in accordance with the cisco validated design program. When you say SMS 2 factor  authentication, are you looking for out of band SMS authentication for phonefactor SMS.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

Hi

Sorry for the delay in my response.

Thank you for the Link, there are some nice things in there.

Regarding SMS

Yes out of band communication.

What I am looking for in the ISE is a solution that I can connect my own SMS Modem or a link to a webbased SMS service provider and send out the SMS directly from the ISE server.

Today we have to use another AAA solution.

so we have Windows domain, Cisco ISE and a third party AAA radius server that connects the two sending out SMS and so on.

Not a optimal solution.and it sometimes has problems.

It would be so much nicer and stramlined setup if we could have the SMS functionality in the ISE instead of another AAA equipment.

Thank you for your response

Regards

Hobbe

jideji
Cisco Employee
Cisco Employee

Hobbe,

This is not supported by ISE today, however if you send me your company name  and business requirement I can reach out to my ISE business unit to follow-up on this.  Thanks

You can send the above info to my email address.

My email: jideji@cisco.com

Richard Hamby
Cisco Employee
Cisco Employee

A couple of other Wireless-specific resources for BYOD:

BYOD Deployment with WLC and ISE

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml

BYOD FlexConnect Deployment

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml

I agree, many of the more complete docs are v1.0 based, and the v1.1 and 1.1.1 updates are required to get the 'whole picture' at times.  As you come across documents that have not been updated for the current versions or would be good candidates, be sure to fill out the Feedback section in the left margin - we read that information.

Thanks !

Hi Richard,

Could you please provide the links where we can deployed and configure ISE, TrustSec and SGT simultaneously?

Thanks,

Parvez

Hi Parvez,

In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks.  And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.

TrustSec Home Page

http://www.cisco.com/en/US/partner/netsol/ns1051/index.html

http://www.cisco.com/en/US/partner/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf

I find this page very helpful as a top-level start to what features and capabilities exist per device:

http://www.cisco.com/en/US/partner/solutions/ns170/ns896/ns1051/trustsec_matrix.html

The TS 2.1 Design Guides

http://www.cisco.com/en/US/partner/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

DesignZone has some updated docs as well

http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng

As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :

http://www.cisco.com/en/US/partner/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

Forbidden File or Application

I find this page very helpful as a top-level start to what features and capabilities exist per device:

http://www.cisco.com/en/US/partner/solutions/ns170/ns896/ns1051/trustsec_matrix.html

OOPS !!

I will repost the whole messaqge with the correct external URL's:

In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.

TrustSec Home Page

http://www.cisco.com/en/US/netsol/ns1051/index.html

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf

I find this page very helpful as a top-level start to what features and capabilities exist per device:

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

The TS 2.1 Design Guides

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

DesignZone has some updated docs as well

http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng

As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :

http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

M. Wisely
Level 4
Level 4

We've got a variety of controller hardware the majority of which is WISM1s (10 WISM1s, 2 WISM2s and 2 5508s). Most of the information on BYOD that I've seen (including the two documents linked to in this discussion) are focused on the features of newer controllers.

What's the best way for us to do BYOD given that we've got to have a consistent approach across all controllers?

Thanks

Hi Martin,

There is an intersection of terms, features, and support at this point in time.  Your question is a great one - and not one that can be answered definitively for all sceanrios.

The BYOD industry buzzword has multiple meanings in  the context it's used.  The differentiators surround what features are  possible in each scenario, and matching them to the requirements.  As  you see, Cisco has (in a way) drawn a line stating where our  'fullest-featured' BYOD wireless solution starts - WLC code 7.2.110.0  and ISE 1.1.1.  Does this mean you can't do 'BYOD' unless you have these  versions ?  Not at all - we've all been doing BYOD in some form since  the first person dialed-in to our networks.  But the drivers now are the  typical scenario where a user wants to bring their own mobile device,  access our secure network(s) and/or Internet, and we be able to enforce  security - device posture and access policies that match our security  policies.  As you moved down in code, certain features and capabilities become unavailable.

Ok, so - to your question:  the answer would be based  on what features you require and topology.  But in general, let's say  you want it 'all' - self-service registration, client  posture/remediation, profiling, etc.  In that case, we want a Central  Webauth (CWA) ISE 1.1.1 and the WLC needs to be running current code 7.2  or higher supported on the 2504/5508/7500/8500/WISM2.  Not all of your  controllers support this code, so if you need an ubiquitous WLAN that  spans the whole enterprise that we can 'BYOD-ize', local-mode  Auto-Anchoring may be the way to go.  In that scenario,  7.2+ capable  WLC(s) would be the anchor controller (2504's don't support  auto-anchor).  All BYOD functions on behalf of the client between ISE  and the WLAN would occur on that controller.  This is a nutshell answer -  bandwidth and other considerations would need to be considered.  But in general, it's the idea.

For other scenarios that don't require every BYOD  option, Local Webauth (LWA) using older code may work.  The design  guides we list above have a number of these.  For your specific  deployment, contact your partner or Cisco account team  for an asessment - there are numerous options.

Thanks,

Richard

edondurguti
Level 4
Level 4

Hi guys,

Based on your experience what is the workaround for the following:

I have WLC 7.3 + ISE 1.1.1 no posture yet, just authentication and profiling -  very simple.

I have two ise appliances ISE1.mycompany has PRIMARY admin/policy and ISE2.mycompany has PRIMARY monitoring rest is secondary, as I think this would take some load off of primary ise.

Based on INTEL/DELL mac address I allow access to corporate network.

Based on APPLE-DEVICE I set clients on vlan 2

makes the authz rules look like this

1.)  IF INTEL/DELL and AD/users = Permit_Access

2.)  IF APPLE-DEVICE and AD/users/spec = vlan2

3.)  if no match then =DennyAccess

And here we go first time users connects to SSID = Corporate with their Dell/Intel laptop.

Enters password username and so on - Access Denied

(on ISE i see Default deny at the end RULE 3 being used)

User tries again - Access Granted RULE 1 being used

First time apple-device user tries to login - Access Denied

On ISE i see the same thing

user tries again, rule number 2 being used.

Any Suggestions?

This is one time only for that device and has no problem after that once it's in endpoint database, but with 10k users that's a problem for the help desk.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: