View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0113 - ISE 1.2 BYOD Wireless Onboarding Single SSID (Part 3)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
4
Lab Document: 
<Please login to see the content>
The video walks you through Cisco ISE 1.2 configuration and demonstrates device onboarding as part of Bring Your Own Device (BYOD) concept. We will be exclusively covering wireless access with single SSID using Windows 7, iPhone, and Android as client devices. We will also looks at how users can manage their own devices through the MyDevices portal. This lab partially repeats our ISE 1.1 BYOD mini-series with emphasis on ISE 1.2. We will begin our configuration from scratch so you can observe the entire configuration steps. 
 
Part 3 of this video shows demonstration of device onboarding and use of MyDevices portal
 
Topic:
  • Client Suppliant/Agent Download
  • Windows 2008 Certificate Template and SCEP
  • Network Device
  • Network Device Group
  • AD Integration
  • Identity Store Sequence
  • Client Provisioning Policy
  • Policy Element Result
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
  • Windows 7, iPhone, Android
  • MyDevices Portal
 
Relevant Video:

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

18 comments

Hi,

i make the configuration equal your video. But when i try connect with windows 7 the Network Setup Assistant make a error Failed and not connect in authorization LM_PERMIT_ALL. has some feature that has to release to run on windows 7? thanks.

Can you describe excatly how far you got on the Network Setup Assistant? Have you tried on another laptop or iphone? iPhone usually have a better success rate as you do not have to deal with all the security that might interfere on a computer.

I followed your videos for single ssid byod, and and introduced some errors in my lab.

- Android - Worked very well before install Network Setup Assistant
- IoS 7.0 -> WLC update last firmware and ISe 1.2 all patch install, freeze in captive portal before accept the certified. I add the config network web-auth bypass enable in wlc, but does not work.
- windows 7 I.E 9 -> i Accept the certified, and show me error in Network Setup Assistance. I test in 3 machine ( Vmware machine). In the last two machines the user and password are request but show-me error> Dont connect in this network.

My Wlc version: Version 7.5.102.0
Version Ise:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.5.252
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2013 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-discovery

Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version : 1.2.0.899
Build Date : Wed Jul 24 04:37:31 2013
Install Date : Fri Jan 24 08:57:55 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 1
Install Date : Fri Jan 24 09:44:48 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 2
Install Date : Fri Jan 24 09:52:13 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 3
Install Date : Fri Jan 24 09:56:10 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 4
Install Date : Fri Jan 24 09:59:00 2014

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 5
Install Date : Fri Jan 24 10:00:58 2014

Can you help-me about this error.

Thanks for your feedback.

Hi,

i change the ACL in WLC, and work the windows machine. In IoS 7.0.4 / Iphone 4s/ freeze in captive portal. I update the Wlc but the probme its same.

On the iPhone, did you get redirected to the portal automatically as soon as you connect to the wireless network or if you had to manually launch Safari?

Hi,

My iphone is redirected to the portal automatically, but dont open the page the ISE for registration. The iphone frozen in white sceen and try redirect for Ise.
I read that net add in controller config network web-auth captive-bypass enable for bypass the captive portal.

That definitly sounds like the captive-bypass command did not take effect. Please double check and reapply the command. I believe it will force you to reload the WLC as well.

Hi there

I have the same issue. Device Registration page won't open! I tried the scenario with single/dual SSID and with iphone/ipad/win 7. All of them have correct url from WLC but the page for device registration is not loading. ACL seems to be correct. Capative Portal for Guest is working, so i know that captive-bypass took effect (without this command behaviour was diffrent..) ISE 1.2 Patch 5 and WLC 7.6. If you have any news, let me know..

Did the browser just keep spinning on a blank page when opened? What was shown on the URL? Also double checked on the ACL that DNS and all traffic to ISE PSN are allowed.

Yes, you can just see that the client is getting the right url https://...action=nsp and nothing is blocked (i made tcp dump on client and ise site) The site is blank and it looks like it can not be load, but you don't get any error massage. For ISE everythign looks ok (in Auth tabs you see right profile)

If you run packet capture on the client, do you see DNS resoluation from host to PSN, and http request and response from ISE. I am sure you have tried to reload ISE already but just checking.

Yes, i can see https communication between client and ise. And i also reloaded the both ise nodes (i'm working with primary-secondary deployment). I'm really confused, because i don't want to erase whole configuration and make it new in hope that it will start work... and as already mentioned i tried 2 scenarios. Whit dual ssid i'm going throug CWA (i can log in, and capative portal is working) but redirection to nsp (device registration page) is not working. Also when i get directly with mschap-v2 ISE shows me the right authZ Profile, and Client get the URL but just can not open the page... (yesterday i made new ACLs just to be sure, and it didn't really help) What is intresting, i can not edit NSP under Policy/Elements/ClientProv/Records. Also when i create a new one, and try to edit this new profile is not working... :( :( :(

That is strange. If you can see bidirectional https traffic then you shouldn't have a blank browser. Hate to say but you might need to try a new install without patch (don't blowup the old one yet). If you still get the same result, then it's probably config issue somewhere.

I'm afraid, there is no other way. I will try to contact Cisco, but first next week (the one i know is still on holiday ;)) and if they can not help me, i will make a new installation. I will let you know sometime next week, if i know something more. Thanks a lot!!

Best of luck to you and let us know how it goes. :-)

Onboarding is working now! I made application reset and then i created new NSP Profile and i've tried to edit. It was ok. Next, i've restored ISE Backup and again it didn't work, so this failure was also replicated with backup. I've restared ISE again, did a minimal configuration for testing onbording and it was working. I can not say at which moment databank got corrupted, as i made new installation with 1.2 Patch 5. But i can say that the second time i didn't enable auto. downloads, and just took the thing i need for onboarding.
For now i'm really happy ;)

Good to hear that it worked out and thank you for sharing your resolution.

First, let me say Thank You for this great site. It is indeed awesome.

First, I'm on 1.2 and update 6. I've followed your directions to the T (or not, considering this question) and it seems to be working OK, except that upon connecting to the WLAN, entering your username and password and opening Safari. However, the site that comes up is the Guest login screen, not the device registration screen. Any ideas????
Thanks again!
Raun