View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0188 - ISE 1.3 BYOD Wired 802.1X Onboarding (Internal CA) (Part 1)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video demonstrates wired device onboarding with Cisco ISE 1.3 Internal CA. With the internal CA configured in the previous video, we continues to complete the remaining configuration to provide wired BYOD solution including; login web portal, required authentication, authorization, and client provisioning policies, blacklist and MyDevices portals. We will step through the entire onboarding process and test device management via MyDevices portal on a non-domain Windows computer. We will also touch on the concept of device purging towards the end of the video.
 
Part 1 of this video focuses on the configuration on ISE
 
Topic:
  • Active Directory User Group Selection
  • ISE Internal CA
  • Guest Web Portal with BYOD Settings
  • MAC Authentication Bypass (MAB)
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
      • Central Web Authentication (CWA)
    • Client Provisioning (Native Supplicant Profile)
  • Authentication Policy
  • Authorization Policy
  • Client Provisioning Policy
  • My Devices Portal (Lost and Stolen Device)
  • Blacklist Portal
  • Device Purging

 

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

21 comments

Hi Metha,
My Network setup assistant gives me the error.
"Failed to discover ISE. Reconnect to the network and try again"

my redirect acl is:
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny tcp any host 10.1.11.76
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any

and my interface ACL pushed by ISE is:

permit udp host 10.6.26.142 eq bootpc any eq bootps
permit udp host 10.6.26.142 any eq domain
permit ip host 10.6.26.142 host 10.1.11.76
deny ip host 10.6.26.142 any

can you please help :(

So you first got redirected on the browser to run Network Setup Assistant, correct? Does it fail as soon as you click start? If not, how far were you able to get to before it fails.

Must be something wrong with the switch IOS or something. I changed the switch, applied the same configuration and it worked this time :)

Many thanks

Well... It happens often than you think :-)  Would you mind sharing the switch model and IOS version for one that work and one that did not? Glad it worked out for you.

Not working on:
WS-C3560X-24P 12.2(53)SE2 C3560E-UNIVERSALK9-M

Working on:
WS-C3560X-48P 12.2(53)SE2 C3560E-UNIVERSALK9-M

thanks for your help :)

Hello,

I have followed the step by step video of this process and i am unable to get the web redirect to register my device.

What could be the cause of this? i can access the portal i created to manage the employee devices when they re either stolen or lost.

Thank you.

Hello,

Could it be my switch is not capable of performing the web redirection.

because when i use the command
show authentication session g1/0/23, the output is different from the output you get here and i am left with only few resources to analyze.

Kind help me, i am using a catalyst 3659 switch

Thank you

This is what i get in return from this command

O#show authentication session int g1/0/23

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/23 b3.cc6b.48ff mab DATA Auth C0A833FE00000FBB01ADE570

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
16 5 dot1x
18 10 mab
21 15 webauth

When you plug the device in, do you get redirect URL from ISE and applied to the session? Do you see that under 'sh auth session int detail'?

Hello,

From the Cisco ISE details page, I was able to find the redirect Cisco -Av.pair for the redirection.

But which the command show authentication sessions int g1/0/23
i cant find the redirect URL applied on the switch port.

I still get the same command as sent to you previously as the result of the command.

Could it be i have no internet connection, that is why i am unable to get the URL redirect.

Note:_ The device portal i created i can access it.
Many Thanks

If you can see Redirect URL being sent on ISE auth detail page but not on switch show command, enable RADIUS debug on switch and make sure you can see it on RADIUS accept message. If you you do, check you aaa authorization command and make sure it is there.

 

Hi
I have all the steps on this video but when I connect a person device, I can't get redirected to my devices page...
The sh authentication sessions in gi1/0/26 shows authorization success . I can also get the redirect url

The sh ip access-lists int g1/0/26 shows the ISE-ONLY DACL applied
On the ISE operation page , I can see authentication and authorization success .
Kindly assist

Simply copy and paste the redirect URL you see on the switch to the client browser. If you can get to the page, double check the redirect ACL and make sure http/https are denied. If not, try to DNS lookup the hostname in the URL and make sure it is allowed by the dACL.

Hi Admin,
i managed to get this working. i was missing the default-gateway on my test switch.
For the management network say vlan100
int vlan 100
ip address 10.10.10.20 255.255.255.0
!
exit interface config mode
!
ip default-gateway 10.10.10.1
!
thanks

That would do it too :-)   Thanks for sharing solution.

why the use of two different portals for WIRED and WLAN BYOD? i've tried running the guest portal configured for BYOD for both wired (original intent) and WLAN and it won't work for WLAN. i've also tried running the BYOD specific portal for WLAN (original intent) and WIRED and it won't work for the WIRED. so i guess that might be why you've used the two separate portals but i don't understand why neither will work for the other use case...

There should be no reason why you can't use the same guest portal for both wired and wireless but they should have separate auth profile due to the differences in dACL and named ACL. This is assuming that you do dual-SSID on WLAN.

i am using two separate auth profiles. i wanted to use just the BYOD specific portal but when i try to use it for WIRED, ISE is sending a session ID in the redirect URL and that seems to be making problems on the client side. an error appears on the portal page that says "Unable to obtain the user information needed for network access. Try again."

something similar happens if i try the reverse and use the portal built for the WIRED byod and use it for the WLAN but it's a different error. i have no idea why one portal will work but the other won't and vice versa.

i've posted the same question to the cisco support forums as well, you can view the post here: https://supportforums.cisco.com/discussion/12677131/ise-13-byod-portal-w...

You cannot just use BYOD portal for wired MAB since there is no user information for the system to use to register the device. So your options are

For Wireless,
   1. Single SSID - 802.1X with BYOD Portal
   2. Dual SSID - Open SSID with MAB and Guest Portal on first SSID and 802.1x on the second

For Wired,
  1. 802.1x with BYOD Portal (Doesn't make sense as require user to config wired .1x profile
  2. MAB with Guest portal so user can login using AD account and proceed with BYOD onboarding.

If you want to use single Guest portal for both wireless and wired, you would go with option 2 for both having user logging into to guest portal then onboard.

so the BYOD portal ONLY works with some auth method behind it that has some user information to be passed to the portal. okay, i guess that makes sense. and we have that in the single SSID wireless scenario but will never have it in a wired MAB scenario since the NIC hasn't been configured yet. okay. i can buy that. thanks very much for the explanation.