You are here
SEC0113 - ISE 1.2 BYOD Wireless Onboarding Single SSID (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through Cisco ISE 1.2 configuration and demonstrates device onboarding as part of Bring Your Own Device (BYOD) concept. We will be exclusively covering wireless access with single SSID using Windows 7, iPhone, and Android as client devices. We will also looks at how users can manage their own devices through the MyDevices portal. This lab partially repeats our ISE 1.1 BYOD mini-series with emphasis on ISE 1.2. We will begin our configuration from scratch so you can observe the entire configuration steps.
Part 1 of this video shows basic ISE basic configuration, SCEP, and client provisioning policies
Topic:
- Client Suppliant/Agent Download
- Windows 2008 Certificate Template and SCEP
- Network Device
- Network Device Group
- AD Integration
- Identity Store Sequence
- Client Provisioning Policy
-
Policy Element Result
- Authorization (Downloadable ACL)
- Authorization (Authorization Profile)
- Authentication Policy
- Authorization Policy
- Windows 7, iPhone, Android
- MyDevices Portal
Relevant Video:
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
7 comments
ISE Redirect URL
Hi
I was able to get SCEP working and my android phone was able to get the redirect URL from ISE and the user certificate was downloaded through the Cisco Network Assistant. I later revoked the User certificate and removed the Certificate that was downloaded onto the USER trusted certificate on my phone. 2 days later I decided to test the SCEP enrollment again and after the AD authentication process, I opened the browser on my phone and expected to get the redirect URL to register my phone. I also expect to get the question to install the certificate from ISE, but not of that happened. I have a wireshark trace and could see the Radius Accept-Accept from the ISE with the redirect URL specified. I have also done a TCP dump from the ISE and see the result similar to Wireshark.
I have also done a debug client mac and the result was EAPOL success with Web-auth required. I also issued the command debug web-auth redirect enable and the results were:
*webauthRedirect: Nov 14 14:51:22.969: xx:xx:xx:xx:xx:xx- received connection
*webauthRedirect: Nov 14 14:51:23.021: xx:xx:xx:xx:xx:xx- received request
*webauthRedirect: Nov 14 14:51:24.304: xx:xx:xx:xx:xx:xx- received connection
I can't get my head round why all of a sudden what worked no longer works. There is no FW block. Please do you have a clue?
ISE Redirect URL
Usually to start testing a mobile device from scratch, all you need to do are deleting certificate from the device, and removing the device from MyDevice portal. You don't really need to revoke the cert as the Windows server does not check for an existing cert, it just keep generating a new one. Just to be safe, also delete the wireless profile on the device by forgeting the network. You should then be good to go. At minimum, the device browser should be redirected to the URL but the fact that you said this did not even happen make it kinda strange. Could you go through the steps above and try again?
ISE Redirect URL
When the problem occurred, I wiped the config of the ISE and reinstalled ISE application using the ISE ISO file. Hence, there are no details of the previous successful session. The difficulty in troubleshooting is that the logs don't point to where the failure is. You see Authentication successful with redirect URL and that's where it ends. Nothing else shows the mobile trying to hit the URL with a failure, not even on Wireshark.
I have run the Supplicant Provisioning report, but none was generated. The only session that showed up on the report was when I used a Windows mobile, and got the error: "Error while trying to match to determine access privileges: No Matching SPW profile found." This was expected because I didn't create a Client Provisioning rule for Windows. However, in the Native Supplicant Profile, the OS is set to ALL.
I also noticed that my Android showed the same error message in the report, but when I went and created a new Native Supplicant profile and set OS to Android and Iphone, no subsequent sessions showed up in the Supllicant Provisioning report, even though the authentication is successful.
ISE Redirect URL
The mobile device has to first be redirect to ISE by the redirect URL, otherwise nothing will work. I assume you have verified that the redirected URL is recieved and properly applied to the client on WLC, and you also have the captive portal bypass enable. I would concentrate on getting the redirect URL to work first and then go from there.
ISE Redirect URL
Yes, I do have captive bypass enabled. From the Wireshark dump, the last communication is ISE as the Source and WLC as the Destination with Radius ACCEPT-ACCEPT. Drilling further down the frame, the URL Redirect is listed under the Cisco-AVPair.
I take it from the above that the WLC should then forward the redirect URL to the client. But I don't see this happening and neither is there further logs on Wireshark to show what the WLC is doing. That's what makes the troubleshooting so difficult because I can't see what the WLC does after getting the redirect URL from ISE.
ISE Redirect URL
Problem finally solved. I had a look at the ACL on the WLC and discovered that the Outbound ACL from DNS to client had been removed. There was only the inbound from client to DNS.
ISE Redirect URL
There you go.. Incorrect ACL would cause issue as well. Rule of thumb is to never block DNS or DHCP.
Glad to hear your issue is resolved.