You are here
SEC0053 - ISE 1.1 BYOD (Part 4) - Wireless Onboarding Dual SSID
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
This Cisco ISE BYOD mini video series demonstrates device onboarding process for users to connect their personal devices to a corporate network as part of Bring Your Own Device (BYOD) concept. We will be covering both wired and wireless access using Windows 7, iPhone, and Android as client devices. Relevant authentication, authorization, and client provisioning policies will be presented. We will also looks at how users can manage their own devices through the My Devices Portal.
In part 4, we focus on device onboarding on wireless network with dual SSID
Topic:
- SCEP CA Profile
- Device Registration
-
Policy Element Condition
- Authorization (Compound Condition)
-
Policy Element Result
-
Authorization (Authorization Profile)
- Web Authentication (Supplicant Provisioning)
- Airspace ACL
- Client Provisioning (Native Supplicant Profile)
-
Authorization (Authorization Profile)
- Authentication Policy
- Authorization Policy
- Client Provisioning Policy
- My Devices Portal
- Device Blacklist
Notes:
- SSID 1: Onboarding SSID with Open authentication (MAC Filtering)
- SSID 2: Internal SSID with WPA Enterprise (potentially hidden)
- Users authenticate through wireless MAB to register device and download profile
- Users authenticate through EAP-TLS to gain network access
-
ISE acts as SCEP proxy and request certificate on user behalf with the following attributes
- CN = Username used in authentication
- Subject Alternative Name = Client MAC address
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.