Guest

Cisco 5500 Series Wireless Controllers

Wireless BYOD for FlexConnect Deployment Guide

Document ID: 113606

Updated: Sep 12, 2013

Contributed by Surendra BG and Ramamurthy Bakthavatchalam, Cisco TAC Engineers.

   Print

Introduction

Mobile devices are becoming more computationally powerful and popular among consumers. Millions of these devices are sold to consumers with high-speed Wi-Fi so users can communicate and collaborate. Consumers are now accustomed to the productivity enhancement these mobile devices bring into their lives and are seeking to bring their personal experience into the workspace. This creates the functionality needs of a Bring Your Own Device (BYOD) solution in the workplace.

This document provides the branch deployment for the BYOD solution. An employee connects to a corporate service set identifier (SSID) with his/her new iPad and gets redirected to a self-registration portal. The Cisco Identity Services Engine (ISE) authenticates the user against the corporate Active Directory (AD) and downloads a certificate with an embedded iPad MAC address and username to the iPad, along with a supplicant profile that enforces the use of the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) as a method for dot1x connectivity. Based on the authorization policy in ISE, the user can then connect with the use of dot1x and gain access to appropriate resources.

ISE functionalities in Cisco Wireless LAN Controller software releases earlier than 7.2.110.0 did not support local switching clients that associate through FlexConnect access points (APs). Release 7.2.110.0 supports these ISE functionalities for FlexConnect APs for local switching and centrally authenticated clients. Furthermore, Release 7.2.110.0 integrated with ISE 1.1.1 provides (but is not limited to) these BYOD solution features for wireless:

  • Device profiling and posture
  • Device registration and supplicant provisioning
  • Onboarding of personal devices (provision iOS or Android devices)

Note: Although supported, other devices, such as PC or Mac wireless laptops and workstations, are not included in this guide.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Catalyst Switchs
  • Cisco Wireless LAN (WLAN) Controllers
  • Cisco WLAN Controller (WLC) Software Release 7.2.110.0 and later
  • 802.11n APs in FlexConnect mode
  • Cisco ISE Software Release 1.1.1 and later
  • Windows 2008 AD with Certificate Authority (CA)
  • DHCP server
  • Domain Name System (DNS) server
  • Network Time Protocol (NTP)
  • Wireless client laptop, smartphone, and tablets (Apple iOS, Android, Windows, and Mac)

Note: Refer to Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 7.2.110.0 for important information about this software release. Log in to the Cisco.com site for the latest release notes before you load and test software.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Topology

A minimal network setup, as shown in this diagram is required in order to properly implement and test these features:

byod-flexconnect-dg-001.gif

For this simulation, you need a network with a FlexConnect AP, a local/remote site with local DHCP, DNS, the WLC, and the ISE. The FlexConnect AP is connected to a trunk in order to test local switching with multiple VLANs.

Device Registration and Supplicant Provisioning

A device must be registered so that its native supplicant can provisioned for dot1x authentication. Based on the right authentication policy, the user is redirected to the guest page and authenticated by employee credentials. The user sees the device registration page, which asks for their device information. The device provisioning process then begins. If the operating system (OS) is not supported for provisioning, the user is redirected to the Asset Registration Portal in order to mark that device for MAC Authentication Bypass (MAB) access. If the OS is supported, the enrollment process begins and configures the native supplicant of the device for dot1x authentication.

Asset Registration Portal

The Asset Registration Portal is the element of the ISE platform that allows employees to initiate the onboarding of endpoints through an authentication and registration process.

Administrators are able to delete assets from the endpoints identities page. Each employee is able to edit, delete, and blacklist the assets they have registered. Blacklisted endpoints are assigned to a blacklist identity group, and an authorization policy is created in order to prevent network access by blacklisted endpoints.

Self-Registration Portal

In the Central Web Authentication (CWA) flow, employees are redirected to a portal that allows them to enter their credentials, authenticate, and enter the specifics of the particular asset they wish to register. This portal is called the Self Provisioning Portal and is similar to the Device Registration Portal. It allows the employees to enter the MAC address as well as a meaningful escription of the endpoint.

Authentication and Provisioning

Once employees select the Self-Registration Portal, they are challenged to provide a set of valid employee credentials in order to proceed to the provisioning phase. After successful authentication, the endpoint can be provisioned into the endpoints database, and a certificate is generated for the endpoint. A link on the page allows the employee to download the Supplicant Pilot Wizard (SPW).

Note: Refer to the FlexConnect Feature Matrix Cisco article in order to view the latest FlexConnect feature matrix for BYOD.

Provisioning for iOS (iPhone/iPad/iPod)

For EAP-TLS configuration, ISE follows the Apple Over-the-Air (OTA) enrollment process:

  • After successful authentication, the evaluation engine evaluates client-provisioning policies, which results in a supplicant profile.
  • If the supplicant profile is for the EAP-TLS setting, the OTA process determines whether the ISE is using self-signed or signed by an unknown CA. If one of the conditions is true, the user is asked to download the certificate of either ISE or CA before the enrollment process can begin.
  • For other EAP methods, ISE pushes the final profile upon successful authentication.

Provisioning for Android

Because of security considerations, the Android agent must be downloaded from the Android marketplace site and cannot be provisioned from ISE. Cisco uploads a release candidate version of the wizard into the Android marketplace through the Cisco Android marketplace publisher account.

This is the Android provisioning process:

  1. Cisco uses the Software Development Kit (SDK) in order to create the Android package with a .apk extension.
  2. Cisco uploads a package into the Android marketplace.
  3. The user configures the policy in client provisioning with the appropriate parameters.
  4. After registration of the device, the end user is redirected to the client provisioning service when dot1x authentication fails.
  5. The provisioning portal page provides a button that redirects user to the Android marketplace portal where they can download the SPW.
  6. The Cisco SPW is launched and performs provisioning of the supplicant:
    1. SPW discovers the ISE and downloads the profile from ISE.
    2. SPW creates a cert/key pair for EAP-TLS.
    3. SPW makes a Simple Certificate Enrollment Protocol (SCEP) proxy request call to ISE and gets the certificate.
    4. SPW applies the wireless profiles.
    5. SPW triggers re-authentication if the profiles are applied successfully.
    6. SPW exits.

Dual SSID Wireless BYOD Self-Registration

This is the process for dual SSID wireless BYOD self-registration:

  1. The user associates to the Guest SSID.
  2. The user opens a browser and is redirected to the ISE CWA Guest Portal.
  3. The user enters an employee username and password in the Guest Portal.
  4. ISE authenticates the user, and, based on the fact that they are an employee and not a guest, redirects the user to the Employee Device Registration guest page.
  5. The MAC address is pre-populated in the Device Registration guest page for the DeviceID. The user enters a description and accepts the Acceptable Use Policy (AUP) if required.
  6. The user selects Accept and begins to download and install the SPW.
  7. The supplicant for that user's device is provisioned along with any certificates.
  8. CoA occurs, and the device reassociates to the corporate SSID (CORP) and authenticates with EAP-TLS (or other authorization method in use for that supplicant).

Single SSID Wireless BYOD Self-Registration

In this scenario, there is a single SSID for corporate access (CORP) that supports both Protected Extensible Authentication Protocol (PEAP) and EAP-TLS. There is no Guest SSID.

This is the process for single SSID wireless BYOD self-registration:

  1. The user associates to CORP.
  2. The user enters an employee username and password into the supplicant for the PEAP authentication.
  3. The ISE authenticates the user, and, based on the PEAP method, provides an authorization policy of accept with redirect to the Employee Device Registration guest page.
  4. The user opens a browser and is redirected to the Employee Device Registration guest page.
  5. The MAC address is pre-populated in the Device Registration guest page for the DeviceID. The user enters a description and accepts the AUP.
  6. The user selects Accept and begins to download and install the SPW.
  7. The supplicant for that user's device is provisioned along with any certificates.
  8. CoA occurs, and the device reassociates to the CORP SSID and authenticates with EAP-TLS.

Feature Configuration

Complete these steps in order to begin configuration:

  1. For this guide, ensure that the WLC version is 7.2.110.0 or later.

    byod-flexconnect-dg-002.gif

  2. Navigate to Security > RADIUS > Authentication, and add the RADIUS server to the WLC.

    byod-flexconnect-dg-003.gif

  3. Add the ISE 1.1.1 to the WLC:

    • Enter a Shared Secret.
    • Set Support for RFC 3576 to Enabled.

    byod-flexconnect-dg-004.gif

  4. Add the same ISE server as a RADIUS accounting server.

    byod-flexconnect-dg-005.gif

  5. Create a WLC Pre-Auth ACL to use in the ISE policy later. Navigate to WLC > Security > Access Control Lists > FlexConnect ACLs, and create a new FlexConnect ACL named ACL-REDIRECT (in this example).

    byod-flexconnect-dg-006.gif

  6. In the ACL rules, permit all traffic to/from the ISE, and permit client traffic during supplicant provisioning.

    1. For the first rule (sequence 1):

      • Set Source to Any.
      • Set IP (ISE address)/ Netmask 255.255.255.255.
      • Set Action to Permit.

      byod-flexconnect-dg-007.gif

    2. For the second rule (sequence 2), set source IP (ISE address)/ mask 255.255.255.255 to Any and Action to Permit.

      byod-flexconnect-dg-008.gif

  7. Create a new FlexConnect Group named Flex1 (in this example):

    1. Navigate to FlexConnect Group > WebPolicies tab.
    2. Under the WebPolicy ACL field, click Add, and select ACL-REDIRECT or the FlexConnect ACL created previously.
    3. Confirm that it populates the WebPolicy Access Control Lists field.

    byod-flexconnect-dg-009.gif

  8. Click Apply and Save Configuration.

WLAN Configuration

Complete these steps in order to configure the WLAN:

  1. Create an Open WLAN SSID for the dual SSID example:

    • Enter a WLAN name: DemoCWA (in this example).
    • Select the Enabled option for Status.

    byod-flexconnect-dg-010.gif

  2. Navigate to the Security tab > Layer 2 tab, and set these attributes:

    • Layer 2 Security: None
    • MAC Filtering: Enabled (box is checked)
    • Fast Transition: Disabled (box is not checked)

    byod-flexconnect-dg-011.gif

  3. Go to the AAA Servers tab, and set these attributes:

    • Authentication and Account Servers: Enabled
    • Server 1: <ISE IP address>

    byod-flexconnect-dg-012.gif

  4. Scroll down from the AAA Servers tab. Under Authentication priority order for web-auth user, make sure that RADIUS is used for authentication and the others are not used.

    byod-flexconnect-dg-013.gif

  5. Go to the Advanced tab, and set these attributes:

    • Allow AAA Override: Enabled
    • NAC State: Radius NAC

    byod-flexconnect-dg-014.gif

    Note: RADIUS Network Admission Control (NAC) is not supported when the FlexConnect AP is in disconnected mode. Thus, if the FlexConnect AP is in standalone mode and loses connection to the WLC, all clients are disconnected, and the SSID is no longer advertised.

  6. Scroll down in the Advanced tab, and set FlexConnect Local Switching to Enabled.

    byod-flexconnect-dg-015.gif

  7. Click Apply and Save Configuration.

    byod-flexconnect-dg-016.gif

  8. Create a 802.1X WLAN SSID named Demo1x (in this example) for single and dual SSID scenarios.

    byod-flexconnect-dg-017.gif

  9. Navigate to the Security tab > Layer 2 tab, and set these attributes:

    • Layer 2 Security: WPA+WPA2
    • Fast Transition: Disabled (box is not checked)
    • Authentication Key Management: 802.lX: Enable

    byod-flexconnect-dg-018.gif

  10. Go to the Advanced tab, and set these attributes:

    • Allow AAA Override: Enabled
    • NAC State: Radius NAC

    byod-flexconnect-dg-019.gif

  11. Scroll down in the Advanced tab, and set FlexConnect Local Switching to Enabled.

    byod-flexconnect-dg-020.gif

  12. Click Apply and Save Configuration.

    byod-flexconnect-dg-021.gif

  13. Confirm that both of the new WLANs were created.

    byod-flexconnect-dg-022.gif

FlexConnect AP Configuration

Complete these steps in order to configure the FlexConnect AP:

  1. Navigate to WLC > Wireless, and click the target FlexConnect AP.

    byod-flexconnect-dg-023.gif

  2. Click the FlexConnect tab.

    byod-flexconnect-dg-024.gif

  3. Enable VLAN Support (box is checked), set the Native VLAN ID, and click VLAN Mappings.

    byod-flexconnect-dg-025.gif

  4. Set the VLAN ID to 21 (in this example) for the SSID for local switching.

    byod-flexconnect-dg-026.gif

  5. Click Apply and Save Configuration.

ISE Configuration

Complete these steps in order to configure the ISE:

  1. Log in to the ISE server: <https://ise>.

    byod-flexconnect-dg-027.gif

  2. Navigate to Administration > Identity Management > External Identity Sources.

    byod-flexconnect-dg-028.gif

  3. Click Active Directory.

    byod-flexconnect-dg-029.gif

  4. In the Connection tab:

    1. Add the Domain Name of corp.rf-demo.com (in this example), and change the Identity Store Name default to AD1.
    2. Click Save Configuration.
    3. Click Join, and provide the AD Administrator account username and password required to join.
    4. The Status must be green. Enable Connected to: (box is checked).

    byod-flexconnect-dg-030.gif

  5. Perform a basic connection test to the AD with a current domain user.

    byod-flexconnect-dg-031.gif

  6. If the connection to the AD is successful, a dialog confirms that the password is correct.

    byod-flexconnect-dg-032.gif

  7. Navigate to Administration > Identity Management > External Identity Sources:

    1. Click Certificate Authentication Profile.
    2. Click Add for a new Certificate Authentication Profile (CAP).

    byod-flexconnect-dg-033.gif

  8. Enter a name of CertAuth (in this example) for the CAP; for the Principal Username X509 Attribute, select Common Name; then, click Submit.

    byod-flexconnect-dg-034.gif

  9. Confirm that the new CAP is added.

    byod-flexconnect-dg-035.gif

  10. Navigate to Administration > Identity Management > Identity Source Sequences, and click Add .

    byod-flexconnect-dg-036.gif

  11. Give the sequence a name of TestSequence (in this example).

    byod-flexconnect-dg-037.gif

  12. Scroll down to Certificate Based Authentication:

    1. Enable Select Certificate Authentication Profile (box is checked).
    2. Select CertAuth (or another CAP profile created earlier).

    byod-flexconnect-dg-038.gif

  13. Scroll down to Authentication Search List:

    1. Move AD1 from Available to Selected.
    2. Click the up button in order to move AD1 to the top priority.

    byod-flexconnect-dg-039.gif

  14. Click Submit in order to save.

    byod-flexconnect-dg-040.gif

  15. Confirm that the new Identity Source Sequence is added.

    byod-flexconnect-dg-041.gif

  16. Use the AD in order to authenticate the My Devices Portal. Navigate to ISE > Administration > Identity Management > Identity Source Sequence, and edit MyDevices_Portal_Sequence.

    byod-flexconnect-dg-042.gif

  17. Add AD1 to the Selected list, and click the up button in order to move AD1 to the top priority.

    byod-flexconnect-dg-043.gif

  18. Click Save.

    byod-flexconnect-dg-044.gif

  19. Confirm that the Identity Store sequence for MyDevices_Portal_Sequence contains AD1.

    byod-flexconnect-dg-045.gif

  20. Repeat steps 16-19 in order to add AD1 for Guest_Portal_Sequence, and click Save.

    byod-flexconnect-dg-046.gif

  21. Confirm that Guest_Portal_Sequence contains AD1.

    byod-flexconnect-dg-047.gif

  22. In order to add the WLC to Network Access Device (WLC), navigate to Administration > Network Resources > Network Devices, and click Add.

    byod-flexconnect-dg-048.gif

  23. Add the WLC name, IP address, Subnet Mask, and so forth.

    byod-flexconnect-dg-049.gif

  24. Scroll down to Authentication Settings, and enter the Shared Secret. This must match the shared secret of the WLC RADIUS.

    byod-flexconnect-dg-050.gif

  25. Click Submit.

  26. Navigate to ISE > Policy > Policy Elements > Results.

    byod-flexconnect-dg-051.gif

  27. Expand Results and Authorization, click Authorization Profiles, and click Add for a new profile.

    byod-flexconnect-dg-052.gif

  28. Give this profile these values:

    • Name: CWA

      byod-flexconnect-dg-053.gif

    • Enable Web Authentication (box is checked):

      • Web Authentication: Centralized
      • ACL: ACL-REDIRECT (This must match the WLC pre-auth ACL name.)
      • Redirect: Default

      byod-flexconnect-dg-054.gif

  29. Click Submit, and confirm that the CWA authorization profile has been added.

    byod-flexconnect-dg-055.gif

  30. Click Add in order to create a new authorization profile.

    byod-flexconnect-dg-056.gif

  31. Give this profile these values:

    • Name: Provision

      byod-flexconnect-dg-057.gif

    • Enable Web Authentication (box is checked):

      • Web Authentication Value: Supplicant Provisioning

        byod-flexconnect-dg-058.gif

      • ACL: ACL-REDIRECT (This must match the WLC pre-auth ACL name.)

        byod-flexconnect-dg-059.gif

  32. Click Submit, and confirm that the Provision authorization profile was added.

    byod-flexconnect-dg-060.gif

  33. Scroll down in Results, expand Client Provisioning, and click Resources.

    byod-flexconnect-dg-061.gif

  34. Select Native Supplicant Profile.

    byod-flexconnect-dg-062.gif

  35. Give the Profile a name of WirelessSP (in this example).

    byod-flexconnect-dg-063.gif

  36. Enter these values:

    • Connection Type: Wireless
    • SSID: Demo1x (this value is from the WLC 802.1x WLAN configuration)
    • Allowed Protocol: TLS
    • Key Size: 1024

    byod-flexconnect-dg-064.gif

  37. Click Submit.

  38. Click Save.

    byod-flexconnect-dg-065.gif

  39. Confirm that the new profile has been added.

    byod-flexconnect-dg-066.gif

  40. Navigate to Policy > Client Provisioning.

    byod-flexconnect-dg-067.gif

  41. Enter these values for the provisioning rule of iOS devices:

    • Rule Name: iOS
    • Identity Groups: Any

      byod-flexconnect-dg-068.gif

    • Operating Systems: Mac iOS All

      byod-flexconnect-dg-069.gif

    • Results: WirelessSP (this is the Native Supplicant Profile created earlier)

      byod-flexconnect-dg-070.gif

      • Navigate to Results > Wizard Profile (drop-down list) > WirelessSP.

        byod-flexconnect-dg-071.gif

        byod-flexconnect-dg-072.gif

  42. Confirm that the iOS Provisioning Profile was added.

    byod-flexconnect-dg-073.gif

  43. On the right side of the first rule, locate the Actions drop-down list, and select Duplicate below (or above).

    byod-flexconnect-dg-074.gif

  44. Change the Name of the new rule to Android.

    byod-flexconnect-dg-075.gif

  45. Change the Operating Systems to Android.

    byod-flexconnect-dg-076.gif

  46. Leave other values unchanged.

  47. Click Save (lower left screen).

    byod-flexconnect-dg-077.gif

  48. Navigate to ISE > Policy > Authentication.

    byod-flexconnect-dg-078.gif

  49. Modify the condition to include Wireless_MAB, and expand Wired_MAB.

    byod-flexconnect-dg-079.gif

  50. Click the Condition Name drop-down list.

    byod-flexconnect-dg-080.gif

  51. Select Dictionaries > Compound Condition.

    byod-flexconnect-dg-081.gif

  52. Select Wireless_MAB.

    byod-flexconnect-dg-082.gif

  53. To the right of the rule, select the arrow to expand.

    byod-flexconnect-dg-083.gif

  54. Select these values from the drop-down list:

    • Identity Source: TestSequence (this is the value created earlier)
    • If authentication failed: Reject
    • If user not found: Continue
    • If process failed: Drop

    byod-flexconnect-dg-084.gif

  55. Go to the Dot1X rule, and change these values:

    byod-flexconnect-dg-085.gif

    • Condition: Wireless_802.1X

      byod-flexconnect-dg-086.gif

    • Identity Source: TestSequence

      byod-flexconnect-dg-087.gif

  56. Click Save.

    byod-flexconnect-dg-088.gif

  57. Navigate to ISE > Policy > Authorization.

    byod-flexconnect-dg-089.gif

  58. Default rules (such as Black List Default, Profiled, and Default) are already configured from installation; the first two can be ignored; the Default rule will be edited later.

    byod-flexconnect-dg-090.gif

  59. To the right of the second rule (Profiled Cisco IP Phones), click the down arrow next to Edit, and select Insert New Rule Below.

    byod-flexconnect-dg-091.gif

    A new Standard Rule # is added.

    byod-flexconnect-dg-092.gif

  60. Change the Rule Name from Standard Rule # to OpenCWA. This rule initiates the registration process on the open WLAN (dual SSID) for users that come to the guest network in order to have devices provisioned.

    byod-flexconnect-dg-093.gif

  61. Click the plus sign (+) for Condition(s), and click Select Existing Condition from Library.

    byod-flexconnect-dg-094.gif

  62. Select Compound Conditions > Wireless_MAB.

    byod-flexconnect-dg-095.gif

  63. In the AuthZ Profile, click the plus sign (+), and select Standard.

    byod-flexconnect-dg-096.gif

  64. Select the standard CWA (this is the Authorization Profile created earlier).

    byod-flexconnect-dg-097.gif

  65. Confirm that the rule is added with the correct Conditions and Authorization.

    byod-flexconnect-dg-098.gif

  66. Click Done (on the right side of the rule).

    byod-flexconnect-dg-099.gif

  67. To the right of the same rule, click the down arrow next to Edit, and select Insert New Rule Below.

    byod-flexconnect-dg-100.gif

  68. Change the Rule Name from Standard Rule # to PEAPrule (in this example). This rule is for PEAP (also used for single SSID scenario) to check that authentication of 802.1X without Transport Layer Security (TLS) and that network supplicant provisioning is initiated with the Provision authorization profile created previously.

    byod-flexconnect-dg-101.gif

  69. Change the Condition to Wireless_802.1X.

    byod-flexconnect-dg-102.gif

  70. Click the gear icon on the right side of the condition, and select Add Attribute/Value. This is an 'and' condition, not an 'or' condition.

    byod-flexconnect-dg-103.gif

  71. Locate and select Network Access.

    byod-flexconnect-dg-104.gif

  72. Select AuthenticationMethod, and enter these values:

    byod-flexconnect-dg-105.gif

    • AuthenticationMethod: Equals

      byod-flexconnect-dg-106.gif

    • Select MSCHAPV2.

      byod-flexconnect-dg-107.gif

    This is an example of the rule; be sure to confirm that the Condition is an AND.

    byod-flexconnect-dg-108.gif

  73. In AuthZ Profile, select Standard > Provision (this is the Authorization Profile created earlier).

    byod-flexconnect-dg-109.gif

    byod-flexconnect-dg-110.gif

  74. Click Done.

    byod-flexconnect-dg-099.gif

  75. To the right of the PEAPrule, click the down arrow next to Edit, and select Insert New Rule Below.

    byod-flexconnect-dg-111.gif

  76. Change the Rule Name from Standard Rule # to AllowRule (in this example). This rule will be used in order to permit access to registered devices with certificates installed.

    byod-flexconnect-dg-112.gif

  77. Under Condition(s), select Compound Conditions.

    byod-flexconnect-dg-113.gif

  78. Select Wireless_802.1X.

    byod-flexconnect-dg-114.gif

  79. Add an AND attribute.

    byod-flexconnect-dg-115.gif

  80. Click the gear icon on the right side of the condition, and select Add Attribute/Value.

    byod-flexconnect-dg-116.gif

  81. Locate and select Radius.

    byod-flexconnect-dg-117.gif

  82. Select Calling-Station-ID--[31].

    byod-flexconnect-dg-118.gif

  83. Select Equals.

    byod-flexconnect-dg-119.gif

  84. Go to CERTIFICATE, and click the right arrow.

    byod-flexconnect-dg-123.gif

  85. Select Subject Alternative Name.

    byod-flexconnect-dg-121.gif

  86. For the AuthZ Profile, select Standard.

    byod-flexconnect-dg-122.gif

  87. Select Permit Access.

    byod-flexconnect-dg-123.gif

  88. Click Done.

    byod-flexconnect-dg-099.gif

    This is an example of the rule:

    byod-flexconnect-dg-124.gif

  89. Locate the Default rule in order to change PermitAccess to DenyAccess.

    byod-flexconnect-dg-125.gif

  90. Click Edit in order to edit the Default rule.

    byod-flexconnect-dg-126.gif

  91. Go to the existing AuthZ profile of PermitAccess.

    byod-flexconnect-dg-127.gif

  92. Select Standard.

    byod-flexconnect-dg-128.gif

  93. Select DenyAccess.

    byod-flexconnect-dg-129.gif

  94. Confirm that the Default rule has DenyAccess if no matches are found.

    byod-flexconnect-dg-130.gif

  95. Click Done.

    byod-flexconnect-dg-099.gif

    This is an example of the main rules required for this test; they are applicable for either a single SSID or dual SSID scenario.

    byod-flexconnect-dg-131.gif

  96. Click Save.

    byod-flexconnect-dg-132.gif

  97. Navigate to ISE > Administration > System > Certificates in order to configure the ISE server with a SCEP profile.

    byod-flexconnect-dg-133.gif

  98. In Certificate Operations, click SCEP CA Profiles.

    byod-flexconnect-dg-134.gif

  99. Click Add.

    byod-flexconnect-dg-135.gif

  100. Enter these values for this profile:

    • Name: mySCEP (in this example)
    • URL: https://<ca-server>/CertSrv/mscep/ (Check your CA server configuration for the correct address.)

    byod-flexconnect-dg-136.gif

  101. Click Test Connectivity in order to test connectivity of the SCEP connection.

    byod-flexconnect-dg-137.gif

  102. This response shows that the server connectivity is successful.

    byod-flexconnect-dg-138.gif

  103. Click Submit.

    byod-flexconnect-dg-139.gif

  104. The server responds that the CA Profile was created successfully.

    byod-flexconnect-dg-140.gif

  105. Confirm that the SCEP CA Profile is added.

    byod-flexconnect-dg-141.gif

User Experience - Provisioning iOS

Dual SSID

This section covers dual SSID and describes how to connect to the guest to be provisioned and how to connect to a 802.1x WLAN.

Complete these steps in order to provision iOS in the dual SSID scenario:

  1. On the iOS device, go to Wi-Fi Networks, and select DemoCWA (configured open WLAN on WLC).

    byod-flexconnect-dg-142.gif

  2. Open the Safari browser on the iOS device, and visit a reachable URL (for example, internal/external webserver). The ISE redirects you to the portal. Click Continue.

    byod-flexconnect-dg-143.gif

  3. You are redirected to the Guest Portal for login.

    byod-flexconnect-dg-144.gif

  4. Log in with an AD user account and password. Install the CA Profile when prompted.

    byod-flexconnect-dg-145.gif

  5. Click Install trusted certificate of the CA server.

    byod-flexconnect-dg-146.gif

  6. Click Done once the profile is completely installed.

    byod-flexconnect-dg-147.gif

  7. Return to the browser, and click Register. Make a note of the Device ID that contains the MAC address of the device.

    byod-flexconnect-dg-148.gif

  8. Click Install in order to install the verified profile.

    byod-flexconnect-dg-149.gif

  9. Click Install Now.

    byod-flexconnect-dg-150.gif

  10. After the process is completed, the WirelessSP profile confirms that the profile is installed. Click Done.

    byod-flexconnect-dg-151.gif

  11. Go to Wi-Fi Networks, and change the network to Demo1x. Your device is now connected and uses TLS.

    byod-flexconnect-dg-152.gif

  12. On the ISE, navigate to Operations > Authentications. The events show the process in which the device is connected to the open guest network, goes through the registration process with supplicant provisioning, and is allowed permit access after registration.

    byod-flexconnect-dg-153.gif

  13. Navigate to ISE > Administration > Identity Management > Groups > Endpoint Identity Groups > RegisteredDevices. The MAC address has been added to the database.

    byod-flexconnect-dg-154.gif

Single SSID

This section covers single SSID and describes how to connect directly to an 802.1x WLAN, provide AD username/password for PEAP authentication, provision through a guest account, and reconnect with TLS.

Complete these steps in order to provision iOS in the single SSID scenario:

  1. If you are using the same iOS device, remove the endpoint from the Registered Devices.

    byod-flexconnect-dg-155.gif

  2. On the iOS device, navigate to Settings > Generals > Profiles. Remove the profiles installed in this example.

    byod-flexconnect-dg-156.gif

  3. Click Remove in order to remove the previous profiles.

    byod-flexconnect-dg-157.gif

    byod-flexconnect-dg-158.gif

  4. Connect directly to the 802.1x with the existing (cleared) device or with a new iOS device.

  5. Connect to Dot1x, enter a Username and Password, and click Join.

    byod-flexconnect-dg-159.gif

  6. Repeat Steps 90 and on from the ISE Configuration section until the appropriate profiles are completely installed.

  7. Navigate to ISE > Operations > Authentications in order to monitor the process. This example shows the client that is connected directly to 802.1X WLAN as it is provisioned, disconnects, and reconnects to the same WLAN with the use of TLS.

    byod-flexconnect-dg-160.gif

  8. Navigate to WLC > Monitor > [Client MAC]. In the client detail, note that the client is in the RUN state, its Data Switching is set to local, and the Authentication is Central. This is true for clients that connect to FlexConnect AP.

User Experience - Provisioning Android

Dual SSID

This section covers dual SSID and describes how to connect to the guest to be provisioned and how to connect to an 802.1x WLAN.

The connection process for the Android device is very similar to that for an iOS device (single or dual SSID). However, an important difference is that the Android device requires access to the Internet in order to access Google Marketplace (now Google Play) and download the supplicant agent.

Complete these steps in order to provision an Android device (such as the Samsung Galaxy in this example) in the dual SSID scenario:

  1. In the Android device, use Wi-Fi in order to connect to DemoCWA, and open the guest WLAN.

    byod-flexconnect-dg-162.gif

  2. Accept any certificate in order to connect to the ISE.

    byod-flexconnect-dg-163.gif

  3. Enter a Username and Password at the Guest Portal in order to log in.

    byod-flexconnect-dg-164.gif

  4. Click Register. The device attempts to reach the Internet in order to access Google Marketplace. Add any additional rules to the Pre-Auth ACL (such as ACL-REDIRECT) in the controller in order to allow access to the Internet.

    byod-flexconnect-dg-165.gif

  5. Google lists Cisco Network Setup as an Android App. Click INSTALL.

    byod-flexconnect-dg-166.gif

  6. Sign in to Google, and click INSTALL.

    byod-flexconnect-dg-167.gif

  7. Click OK.

    byod-flexconnect-dg-168.gif

  8. On the Android device, find the installed Cisco SPW app, and open it.

    byod-flexconnect-dg-169.gif

  9. Make sure that you are still logged in to the Guest Portal from your Android device.

  10. Click Start in order to start the Wi-Fi Setup Assistant.

    byod-flexconnect-dg-170.gif

  11. The Cisco SPW begins to install certificates.

    byod-flexconnect-dg-171.gif

  12. When prompted, set a password for credential storage.

    byod-flexconnect-dg-172.gif

  13. The Cisco SPW returns with a certificate name, which contains the user key and user certificate. Click OK in order to confirm.

    byod-flexconnect-dg-173.gif

  14. Cisco SPW continues and prompts for another certificate name, which contains the CA certificate. Enter the name iseca (in this example), then click OK in order to continue.

    byod-flexconnect-dg-174.gif

  15. The Android device is now connected.

    byod-flexconnect-dg-175.gif

My Devices Portal

My Devices Portal allows users to blacklist previously registered devices in the event a device is lost or stolen. It also allows users to re-enlist if needed.

Complete these steps in order to blacklist a device:

  1. In order to log in to My Devices Portal, open a browser, connect to https://ise-server:8443/mydevices (note the port number 8443), and log in with an AD account.

    byod-flexconnect-dg-176.gif

  2. Locate the device under Device ID, and click Lost? in order to initiate blacklisting of a device.

    byod-flexconnect-dg-177.gif

  3. When the ISE prompts a warning, click Yes in order to proceed.

    byod-flexconnect-dg-178.gif

  4. ISE confirms that the device is marked as lost.

    byod-flexconnect-dg-179.gif

  5. Any attempt to connect to the network with the previously registered device is now blocked, even if there is a valid certificate installed. This is an example of a blacklisted device that fails authentication:

    byod-flexconnect-dg-180.gif

  6. An administrator can navigate to ISE > Administration > Identity Management > Groups, click Endpoint Identity Groups > Blacklist, and see the device is blacklisted.

    byod-flexconnect-dg-181.gif

Complete these steps in order to reinstate a blacklisted device:

  1. From the My Devices Portal, click Reinstate for that device.

    byod-flexconnect-dg-182.gif

  2. When ISE prompts a warning, click Yes in order to proceed.

    byod-flexconnect-dg-183.gif

  3. ISE confirms that the device has been successfully reinstated. Connect the reinstated device to the network in order to test that the device will now be permitted.

    byod-flexconnect-dg-184.gif

Reference - Certificates

ISE not only requires a valid CA root certificate, but also needs a valid certificate signed by CA.

Complete these steps in order to add, bind, and import new trusted CA certificate:

  1. Navigate to ISE > Administration > System > Certificates, click Local Certificates, and click Add.

    byod-flexconnect-dg-185.gif

  2. Select Generate Certificate Signing Request (CSR).

    byod-flexconnect-dg-186.gif

  3. Enter the Certificate Subject CN=<ISE-SERVER hostname.FQDN>. For the other fields, you can use the default or the values required by your CA setup. Click Submit.

    byod-flexconnect-dg-187.gif

  4. ISE verifies that the CSR was generated.

    byod-flexconnect-dg-188.gif

  5. In order to access the CSR, click the Certificate Signing Requests operations.

    byod-flexconnect-dg-189.gif

  6. Select the CSR recently created, then click Export.

    byod-flexconnect-dg-190.gif

  7. ISE exports the CSR to a .pem file. Click Save File, then click OK in order to save the file to the local machine.

    byod-flexconnect-dg-191.gif

  8. Locate and open the ISE certificate file with a text editor.

    byod-flexconnect-dg-192.gif

  9. Copy the entire content of the certificate.

    byod-flexconnect-dg-193.gif

  10. Connect to the CA server, and log in with an administrator account. The server is a Microsoft 2008 CA at https://10.10.10.10/certsrv (in this example).

    byod-flexconnect-dg-194.gif

  11. Click Request a certificate.

    byod-flexconnect-dg-195.gif

  12. Click advanced certificate request.

    byod-flexconnect-dg-196.gif

  13. Click the second option in order to Submit a certificate request by using a base-64-encoded CMC or ... .

    byod-flexconnect-dg-197.gif

  14. Paste the content from the ISE certificate file (.pem) into the Saved Request field, ensure the Certificate Template is Web Server, and click Submit.

    byod-flexconnect-dg-198.gif

  15. Click Download certificate.

    byod-flexconnect-dg-199.gif

  16. Save the certnew.cer file; it will be used later in order to bind with the ISE.

    byod-flexconnect-dg-200.gif

  17. From ISE Certificates, navigate to Local Certificates, and click Add > Bind CA Certificate.

    byod-flexconnect-dg-201.gif

  18. Browse to the certificate that was saved to the local machine in the previous step, enable both the EAP and Management Interface protocols (boxes are checked), and click Submit. ISE may take several minutes or more in order to restart services.

    byod-flexconnect-dg-202.gif

  19. Return to the landing page of the CA (https://CA/certsrv/), and click Download a CA certificate, certificate chain, or CRL.

    byod-flexconnect-dg-203.gif

  20. Click Download CA certificate.

    byod-flexconnect-dg-204.gif

  21. Save the file to the local machine.

    byod-flexconnect-dg-205.gif

  22. With the ISE server online, go to Certificates, and click Certificate Authority Certificates.

    byod-flexconnect-dg-206.gif

  23. Click Import.

    byod-flexconnect-dg-207.gif

  24. Browse for the CA certificate, enable Trust for client authentication (box is checked), and click Submit.

    byod-flexconnect-dg-208.gif

  25. Confirm that the new trusted CA certificate is added.

    byod-flexconnect-dg-209.gif

Related Information

Updated: Sep 12, 2013
Document ID: 113606