View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0054 - ISE 1.1 BYOD (Part 5) - Wireless Onboarding Dual SSID Testing

SEC0054 - ISE 1.1 BYOD (Part 5) - Wireless Onboarding Dual SSID Testing

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

This Cisco ISE BYOD mini video series demonstrates device onboarding process for users to connect their personal devices to a corporate network as part of Bring Your Own Device (BYOD) concept. We will be covering both wired and wireless access using Windows 7, iPhone, and Android as client devices. Relevant authentication, authorization, and client provisioning policies will be presented. We will also looks at how users can manage their own devices through the My Devices Portal.

In part 5, we test onboarding process to verify our configuration completed in part 4 using Windows 7, iPhone, and Android devices.
Topic:
  • SCEP CA Profile
  • Device Registration
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authorization (Authorization Profile)
      • Web Authentication (Supplicant Provisioning)
      • Airspace ACL
    • Client Provisioning (Native Supplicant Profile)
  • Authentication Policy
  • Authorization Policy
  • Client Provisioning Policy
  • My Devices Portal
  • Device Blacklist
Notes:
  • SSID 1: Onboarding SSID with Open authentication (MAC Filtering)
  • SSID 2: Internal SSID with WPA Enterprise (potentially hidden)
  • Users authenticate through wireless MAB to register device and download profile
  • Users authenticate through EAP-TLS to gain network access
  • ISE acts as SCEP proxy and request certificate on user behalf with the following attributes
    • CN = Username used in authentication
    • Subject Alternative Name = Client MAC address

 

Tag: 
ISE
byod
peap
eap-tls
onboarding
wireless

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

10 comments

Submitted by Pepa on Mon, 07/15/2013 - 07:49

Hello everyone and thanks for the videos.
My installation works very good for the onboarding process for android and windows desktop devices, but I can't onboard the apple devices.
When I start the process on my iphone, the onboarding page come and disappears immediatly taking me to the ca certificate install page and after I install the certificate I'm not redirected to the onboarding page and if I try to surf the web, I get captured again from the captive portal and again the ca certificate installation is prompted to me.
This is endless.

Have you the same problem? May be something changed apple side with the last os update? I tested the procedure with ios 6.0.2 and 6.1.3

Thanks and best regards

Submitted by admin on Tue, 07/16/2013 - 00:02

Can you provide more info if you do single or dual SSID, were you able to register device MAC address, was there any error message on the log (both live authorization and client provisioning), and did you setup client provisioning policy for ios device? Since you already got it working with other devices, obviously it has to be ios-related setup.

Submitted by Pepa on Tue, 07/16/2013 - 04:27

Thanks for you reply.
I'm using a single SSID.
No error message in the log here:

Logged At: July 15,2013 3:36:07.704 PM
RADIUS Status: Authentication succeeded
NAS Failure:
Username: *username*
MAC/IP Address: B4:F0:XX:XX:XX:XX
Network Device: WLC-5508 : 10.XXX.XXX.XXX :
Allowed Protocol: PEAP-TLS
Identity Store: AD1
Authorization Profiles: WLAN-ISE-ONLY
SGA Security Group:
Authentication Protocol : PEAP(EAP-MSCHAPv2)

Here the steps:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12319 Successfully negotiated PEAP version 1
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12319 Successfully negotiated PEAP version 1
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
15016 Selected Authorization Profile - WLAN-ISE-ONLY
11002 Returned RADIUS Access-Accept

the provisioning policy is exactly lyke your video, I have one policy for Android and Apple iOS All
and with result the WLAN-TLS Native Supplicant Profile.

thanks for your support

Submitted by admin on Tue, 07/16/2013 - 23:54

It looks like the PEAP authentication was successful so I would assume that you get the page to register device MAC address when open a browser at this point. So what happen after once you register the device, did you get as far as installing the profile and seeing the key being generated on iPhone?

Submitted by Pepa on Wed, 07/17/2013 - 08:04

I uploaded a video so you can see what really happen to my iphone
http://www.youtube.com/watch?v=aZGhFQsIh_w&feature=em-upload_owner#actio...

Submitted by admin on Wed, 07/17/2013 - 23:44

It looks like the iphone pseudo-browser is interfering. Make sure you enable captive bypass on the WLC. Please see the video below for more detail starting aroung minutes 5.
http://labminutes.com/sec0039_ise_1_1_switch_wlc_recommended_config_2
 

Submitted by Pepa on Thu, 07/18/2013 - 01:44

Thanks for your support, this seems to be the solution to my problem.
I will check if this option will cause some problem to my users.

It is very difficult to find someone expert on this product, do you sell consultant support to help me in configuring in a perfect manner WLC and ISE?

Thanks again

Submitted by admin on Fri, 07/19/2013 - 00:07

You are welcome. Let us know how this works out for you. Due to our limited resource, we cannot offer consulting service but feel free to post additional questions. 

Submitted by jlcastro on Fri, 05/29/2015 - 19:25

Hi,

My name is José Luis Castro

Please, do you help me ?

I don`t speak english.

I have ISE 1.2

I have two SSID: VIP (172.20.179.X) and FUNCIONARIOS (172.20.176.X)

I have two groups in Active Directory: Administradores and Empleados

I want to make settings in the ISE so that when a user chooses the SSID: VIP and this belongs to the Administrators group can access or connect to the network without any problems otherwise not be able to connect, forcing the user to choose the SSID: FUNCIONARIOS

I think is create a rule only when users choose the SSID: VIP

I don`t know if this can be set in the ISE.

Submitted by admin on Sat, 05/30/2015 - 06:24

You need to create two rules on auth policy matcing by SSID (RADIUS called-station-id) and AD external user group and assign appropriate auth profile. You can see our ISE 1.3 802.1x wireless authentication for more detail.