View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0189 - ISE 1.3 BYOD Wireless Onboarding with Single SSID (Internal CA) (Part 2)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video demonstrates wireless device onboarding with single SSID and Cisco ISE 1.3 Internal CA. With the internal CA configured in the previous video, we continues to complete the remaining configuration to provide wireless BYOD solution including; BYOD portal, required authentication, authorization, and client provisioning policies. We will step through the entire onboarding process and test device management via MyDevices portal on iPad, Android and Windows computer. 
 
Part 2 of this video focuses on configuration validation and device onboarding testing
 
Topic:
  • Active Directory User Group Selection
  • ISE Internal CA
  • WLAN SSID Configuration
  • BYOD Portal
  • Policy Element Result
    • Authorization (Authorization Profile)
      • Native Supplicant Provisioning
      • Airspace ACL
    • Client Provisioning (Native Supplicant Profile)
  • Authentication Policy
  • Authorization Policy
  • Client Provisioning Policy
  • My Devices Portal (Lost and Stolen Device)
  • Blacklist Portal
Relevant Videos:

 

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

27 comments

Hi Metha, I have followed your video for configuring BYOD Wireless using ISE 1.3 and WLC 8.0, I have working BYOD Wireless for windows/mac/iOS as expected, but android for some reason can not download the profile from ISE, I double checked your indications but no luck, Have you encountered this problem with android os before?

thanks in advance.

Jos

We used to encounter the problem with Network Setup Assistant not being able to locate the server to download profile in the previous version but not in 1.3. At what point in the process does it fail and what is the exact error message? Make sure the you can see the redirect ACL to ISE on the client wireless session. May be also try a different Android device if you have one. 

Hi Metha,
I have a challenge. For Windows, my tests fail when downloading profile configuration . i get a prompted "failed to download profile configuration . reconnect to network and try again"
also, for android, fails at the point after installing the ISE "iseca" certificate. that is state of "connecting to the network"
any workaround here ?

Anything under client provisioning report? Any success on other device type like Macintosh or iPhone?

Hi Metha,

I currently am working this in my lab and am able to successfully install the profile on my iPhone. However, once the profile is installed and I click "Done", I can't browse after the success page as my wireless disconnects. The only final message that I can find is '5205 Dynamic Authorization succeeded". I can see that the client did receive the disconnect authorization request. My question is shouldn't it reauth to the Internal SSID via EAP-TLS? I currently have the "CoA Type" configured for "Reauth".

Thanks again for all the videos as they have been a tremendous help in my career.

You might want to double-check your Wireless Supplicant Profile and make sure everything looks correct. Like you said, the client should be disconnected by the CoA but reconnect immediately but if you have a typo in the SSID for example, it may not. Also make sure the client does not have another conflicting SSID configured that might cause it to connect to another SSID after a disconnect.

Hi!

When i am redirected to BYOD portal using win7 PC, i click start and get an error "system administrator hasn't set up or turned on device policy, contact technical support"

What can be a reason to this problem ?

iOS and Android works

Thx.

Do you have client provisoning policy setup for Windows OS?

My Policies look like that:

Windows Policy
WLAN BYOD WIN If Any and Windows All and Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11 AND OTLAB.COM:ExternalGroups EQUALS OTLAB.COM/BYOD/BOYD then WinSPWizard 1.0.0.41 And WLAN - here i tried different versions of WinSPWizard

Mobile Policy
WLAN BYOD MOBILE If Any and Android or Apple iOS All and Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11 AND OTLAB.COM:ExternalGroups EQUALS OTLAB.COM/BYOD/BOYD then WLAN

The policy looks correct. Don't think we have seen this error before and it does not seem to be documented either. Any error you can find in the Client Provisioning report? Have you also tried another computer or reload ISE?

I tried another computer, same error with windows PC

Also i have tried now to proceed BYOD with iphone 6(1 week before all worked), i get wifi profile, then it redirects me with error in browser, that the procedure can't be finished

Also i tried to make Mac OS X onboarding, i registered device in portal, then downloaded cisco assistent, and it gave me an error "unable to locate ISE server"

Also i tried to make Android onboarding, i registered device in portal, then downloaded cisco assistent, and it gave me an error "server hasn't been located, be sure that your device is set up for an access to network with the possibility to redirect requests to enroll.cisco.com"

I changed updated SPWizard to WinSPWizard 2.0.1.46
And now i dont get any error about Policy

PC downloads Network Setup Assistant and there i get an error same to Mac OS X, "Failed to discover ISE, Reconnect to network and try again" - how can i solve this problem ?

Do you have the ACL allow full access to ISE? Are you still having the same issue with iPhone. For Android, did you download and install Network Setup Assistant app before onboarding?

I fixed all issues

On WLC i corrected ACL:
1) it helped to fix an issue "cant find ISE server" on Android and Windows in Setup Assistant
2) also is fixed an issue on iphone 6 when after installing profile in browser i got an error about unavailability to finish the process

3)In ISE i changed in Client provisioning Wizard to WinSPWizard 2.0.1.46 for windows and it fixed an error "no policy for your device was set up by administrator"

4) Mac works too

Now i have a task, i should show the functionality of BYOD, how can i make a scenario that before BYOD provisioning i don't have an access to resources, but after this process i get an access to services, in example to web server ?

maybe there is a possibility that on after PEAP stage we have an access to some resources and after EAP-TLS we have full access, if so how it can be accomplished?
Thank you!

Glad to hear everything works now. The scenario you described is basically what this video demonstrates. User first authenticates with PEAP and only get redirected to ISE to onboard. After onboarded and cert installed, user can reconnect with EAP-TLS and get full access.

But after EAP-TLS user gets same IP address in same VLAN as after PEAP, isn't it necessary to change vlan to make such policy for restricting access or maybe authorization policy on ISE should be changed?

Or maybe ACL on WLC should be changed?

Also if we speak about PERMIT ACL on WLC at what stage it's used and for which things.

Also what should i do on DNS server to make a redirection to BYOD portal via hostname but not only IP address

Thx

Also on Win PC after EAP-TLS works, if i try to change settings in Win supplicant to PEAP( to try another login credentials) i cant connect to SSID it doesnt ask me for credentials just an error that in cant connect to SSID

Is there a way to get proxy setting after connecting via EAP-TLS?

what shoud i do to get an access to my devices from browser via hostname?

We are assuming you are refering to the MyDevices portal. If so, you can configure a portal URL under the MyDevices portal setting page. You then need to create a DNS record of matching name pointing to ISE PSN.

Yes, I'm speaking about MyDevices portal

I don't understand how it's possible to change DNS record for my devices portal

In example i made an record for admin GUI for ISE, it's ise.lab.com 172.25.110.51

URL of mydevices portal is https://172.25.110.51:8443/mydevicesportal/PortalSetup.action?portal=28e...

how can i add it to DNS, or if i could do it i will have to records in DNS pointing to one IP address, how ISE will understand do i need Admin GUI portal or mydevices?

In your case, you need to 

1. Configure mydevices.lab.com as URL under the mydevice portal

2. Create DNS record for mydevices.lab.com to IP of the PSN node. If you are doing standalone, it will just be 172.25.110.51

When you go to mydevices.lab.com, the HTTP request will contain the URL which allow ISE to map it to the correct portal page and not the admin page.

I really can't find a way to change URL of this portal, there is only button "portal test URL"

Please refer to video SEC0188 Part 1 starting at minute 22:30 on how to create MyDevices portal

We actually have never tried with PEAP. Any reason why you would do so since it may require you to manually provide credential?

ISe 2.0 might allow you to set proxy settings under the Client provisioning profile. You might want to double check.

The case what i speak about, is if 2 users use only 1 PC, if i have one login/pass for windows PC and i need to get a certificates for 2 users, i'm not able to do it because after EAP-TLS of one user and getting user certificate i can't authorize with another client credentials even PEAP.

Onboarding is meant for user bringing personal device so there wouldn't be two users on one device. If you do, may be onboarding is not the right solution. What is your reason to have two users on one device, who own the device?

Since EAP-TLS authentication should hit a different rule from PEAP, you can assign user any ACL or VLAN you want. User does not necessary need to stay on the same VLAN or get the same ACL. 

Which BYOD portal are you refering to? The client provisioning portal used for onboarding should redirect user to ISE hostname already.