View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0050 - ISE 1.1 BYOD (Part 1) - Wired 802.1X Onboarding

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

This Cisco ISE BYOD mini video series demonstrates device onboarding process for users to connect their personal devices to a corporate network as part of Bring Your Own Device (BYOD) concept. We will be covering both wired and wireless access using Windows 7, iPhone, and Android as client devices. Relevant authentication, authorization, and client provisioning policies will be presented. We will also looks at how users can manage their own devices through the My Devices Portal.

In part 1, we focus on device onboarding on wired network using Windows 7 non-domain computer.
Topic:
  •  SCEP CA Profile
  •  Guest Portal with Self-Provisioning
  •  Device Registration
  •  Policy Element Condition
  • Authorization (Compound Condition)
  •  Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
      • Web Authentication (CWA)
    • Client Provisioning (Native Supplicant Profile)
  •  Authentication Policy
  •  Authorization Policy
  •  Client Provisioning Policy
  •  My Devices Portal
  •  Device Blacklist
Notes:
  • Users authenticate through wired MAB and get Guest Portal
  • ISE acts as SCEP proxy and request certificate on user behalf with the following attributes
CN = Username used in authentication
Subject Alternative Name = Client MAC address
Tips
  • To tighten authentication, compare MAC address on the client certificate with MAC address in the RADIUS authentication attribute in the authorization rule
Calling-Station-ID = Subject Alternative Name

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

30 comments

I following the Step, at the install the Network Setup Assistant fail
show the error messages:
Secure access configuration for the "Local Area Connection" network failed
My i know is CA Error?"
and the Switch need to Installation with SCEP ?
Thank!~

Make sure your SCEP server is fuctioning and you can test this using a router or switch to pull a certificate. the switch itself does not need to talk to the SCEP server during the onboarding process.

Secure access configuration for the "Local Area Connection" network failed.
how ever it prompts for ca certificate and i accept it and installed it. but the setup generates error as mentioned above.
i have checked scep settings on ise and can see test-ra in certificate store, secondly i have a switch enrolled with same scep url but it need to put the password in switch to get it inrolled while enrolling.
i have tried different machines but still the same result. let me what can be done.

Hi i have ise 1.2,config wizard WinSPWizard 1.0.0.43.

thanks.

If you need to enter challenge password on the switch, that means you still challenge password enabled on your SCEP server. You will need to disable this. Pleasee refer to the videos below to see how the SCEP server should be setup.

http://www.labminutes.com/sec0009_windows_2008_ca_scep_install

http://www.labminutes.com/sec0011_windows_2008_ca_auto_enrollment

Facing the same issue as above. Wireless on boarding working fine, no issues with Network Setup Assistant installation while doing wireless on boarding.

On wired getting the error of Secure access configuration for the "Local Area Connection" network failed.

Thanks for the feedback. What version are you running? 

Running ISE version 1.2.1 patch 2, and Network Setup Assistant version is WinSPWizard 1.0.0.43

You might want to give ISE 1.3 a try since it doesn't use Java anymore. Also leverage the ISE internal CA to eliminate any potential integration problem with external CA.

If ise version is 1.1.1 i go to cisco website to download
Off-Line Windows SPW Installation Package
win_spw-1.0.0.28-isebundle.zip ---- version 1.1.3
OR
Off-Line Windows SPW Installation Package (includes Support for Windows 8 OS - RTM )
win_spw-1.0.0.23-isebundle.zip---version 1.1.1

There should be no need for you to manually download the supplicant from Cisco website if you turn on Auto-Supplicant download on ISE, but you need to make sure ISE has access to Internet.

In ise to add the SCEP Certificate, click the Test Connectivity
The CA Server log messages will show the
"The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag."
i followed your video installation CA server (SCEP )
SEC0009 - Windows 2008 Enterprise CA SCEP Installation
SEC0011 - Windows 2008 CA SCEP Auto-Enrollment Options
Could you tell me how to troubleshooting ..
thank~

I recall seeing that message on the CA all the time but don't believe it interferes with the server operation. Before trying it on ISE, you might want test it on a router or FW first and make sure they can pull certificate via SCEP.

Thank for your help :)
i pass the SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS LAB
(Most NIC setting wrong)
I don"t know how to config the NIC setting..."
In the BYOD LAB(Wired) , Client NIC setting:
Authentication>Choose a network authentication method: Mcrosoft: Pordected EAP (PEAP) and click the setting button 'Validate server certificate" is unckecked.
Select Authentication Method:
Use Secured password (EAP-MSCHAP v2) or Smart Card or other Certificate ??"
1.
If select Secured password (EAP-MSCHAP v2) and click the configure botton i need to select Automatically use my Windows logon names and password (and domain if any)?
2.
If select Smart Card or other certificate and click the configure in Smart card or other Certificate Properties.
need to select Validate server certificate? If select Validate server certificate box need to select any box item?
3.Select Authentication Method.has 4 check box item.
by default the Enable Fast Reconnect is checked.
and the 3 check box item Enforce Network Access Protection, Disconnect if server does not present or yptobinding TLV and Enable Identity Privacy need to checked?"
3.
Return to Authentication page, and click the Advanced setting.
802.1x setting:
By default the Specify authentication mode is checked.
has 4 item User or computer authentication, Computer authentication, User authentication and Guest authentication in selected box.
default selected User or computer authentication. i need to selected any item?"
at the need to enable single sign on for this network?"
if checked enable single sign on for this network box, need to check any item?"
i need to your detail NIC setting :)
Thank~

For EAP-TLS (Win7),

Authentication Method = Smart Card or other Certificate

Settings -> Validate server certificate = Unchecked (unless the client has Trusted Root cert installed, then you will also need to selected the Root CA cert underneath)

Additional Settings -> Specify Authentication Mode = checked

              Choose User or Computer Authentication if you are doing both machine/user auth but you need to make sure the client has both type of certificates installed.

              Choost User Authentication if you are doing only User auth, in which case you only need User certificate on the client machine.

 

Hi
I was following the Cisco deployment guides for ISE certificate auto enroll via scep.
By using the "user" template in the windows CA server we could auto enroll certificates to the end devices like smartphones, PC's. What type of certificates the end devices get? device or user or both device and user certificates?
Thanks in advance.
Ted

The onboarding device should only get user certificate. Mobile device does not really have concept of machine certificate.

Hi
Thanks for the feedback. Could you please elaborate further why on boarding device should get a user cert and not a device cert?
Tks
ted

When a device is onboarded, it is the user credential that is passed on to ISE during the authentication so it is what ISE uses to generate the certificate via SCEP. You can verify by looking at the cert and you will see username shows up as the CN.

Thank you.

Assuming ISE authenticates the user via AD, but any other possibility we could pass device specific infor to ISE (such a MAC) and ISE could generate a device specific cert via scep?

Ted

The device MAC is automatically included in the cert under Subject Alternative Name, if I remember correctly, but the cert CN will always be the username. There isn't a way to insert custom parameter since ISE is alreayd preconfigured to request a cert using a certain parameters.

I followed the video on the above topic SEC0031. We have the following senario. The environment has a offline root CA and enterrise domain CA (intermediate CA). This also a scep server.The user certs are signed by the intermediate CA. Therefore I believe ISE CSR has to be signed by intermediate CA and we wlso have to import intermediate CA and root CA cert too in ISE cert store?
Thanks
Ted

If client cert is signed by the intermediate CA, both intermediate CA cert cand Root CA cert need to be imported to ISE for it to fully trust the client cert

I following the step by step, at the Client Provisioning Policy and not seeing any WinSPwizard from Native supplicant configuration, even patched ISE with ise-patchbundle-1.2.0.899-6-100229.x86_64.tar, still get the same issue, any idea?
by the way,how to install the Off-Line Windows SPW Installation Package to ISE?
thanks,

Do you have the auto-update from Cisco turned on? If not, you can download all the supplicants from Cisco.com and upload manually.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol....

Excellent article but can you post the switch configuration for us that wants to replicate the lab and understand the concept, much appreciated.

Switch startup config is very basic with just a few VLANs and SVIs depicted in the lab diagram. For additional switch config, please refer to the lab videos below.

http://www.labminutes.com/sec0038_ise_1_1_switch_wlc_recommended_config_1

http://www.labminutes.com/sec0038_ise_1_1_switch_wlc_recommended_config_2

Hello,
I know that you are busy, but I would really appreciate some clarification please. Does the WinSPwizard that runs the Cisco Network Assistant go to the internet to download the the supplicant? The onboarding process for both Windows 7 and 8 starts but I get a failure after the CNA starts downloading for about 10 secs. The message is "Failure to download profile configuration Reconfirm network connection". Please, I want to know if this profile configuration is being downloaded from the Internet so that I can ask the Security team at my client's site to check the FW. If it's the FW, please what FW rule should allow this download. Is it the PAN on port 8443 or the PSN on 8443? Thanks

No, the Network Setup Assistant does not go out to internet. What it does is it requests a device certificate through ISE and then download wired/wireless network profile from ISE. You might want to verify that your SCEP is working correctly as it is usually the culprit.

Hello,

Thanks for the clarification. I discovered that port 8909, which is for provisioning was missing from the DACL and that resolved the problem. The setup is ISE1.3 with PEAP, hence no SCEP required.

That would do it too. We usually recommend having all traffic to ISE to be allowed when ever there is interaction between user and ISE to avoid this type of issue. Glad your problem is fixed.