View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0051 - ISE 1.1 BYOD (Part 2) - Wireless Onboarding Single SSID

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

This Cisco ISE BYOD mini video series demonstrates device onboarding process for users to connect their personal devices to a corporate network as part of Bring Your Own Device (BYOD) concept. We will be covering both wired and wireless access using Windows 7, iPhone, and Android as client devices. Relevant authentication, authorization, and client provisioning policies will be presented. We will also looks at how users can manage their own devices through the My Devices Portal.

In part 2, we focus on device onboarding on wireless network with single SSID

Topic:
  • SCEP CA Profile
  • Device Registration
  • Policy Element Condition
  • Authorization (Compound Condition)
  • Policy Element Result
    • Authorization (Authorization Profile)
      • Web Authentication (CWA)
      • Airspace ACL
    • Client Provisioning (Native Supplicant Profile)
  • Authentication Policy
  • Authorization Policy
  • Client Provisioning Policy
  • My Devices Portal
  • Device Blacklist
Notes:
  • SSID 1: Internal SSID with WPA Enterprise
  • Users authenticate through PEAP to register device and download profile
  • Users authenticate through EAP-TLS to gain network access
  • ISE acts as SCEP proxy and request certificate on user behalf with the following attributes
    • CN = Username used in authentication
    • Subject Alternative Name = Client MAC address

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

4 comments

Hey, any ideas how to modify ACL in flex connect mode to allow access to google play. I have tried multiple things and it does not work.

Name ACL is not supported in FlexConnect. You will need to include allowed Google IP as part of FlexConnect default ACL on the VLAN. You can also ask user to download the Cisco Network Assistant app before connecting to the network

Using either the single SSID or dual SSID, I still can't seem to get past the initial authentication. The iPad redirects but never pulls the gust portal page. any suggestions?

Make sure to enable captive-bypass on the wireless controller, and I believe it has to be 7.3 or newer. Captive portal is known to interfere with ISE redirect-url on iDevices. The command is
config network web-auth captive-bypass enable