Cisco 5500 Series Wireless Controllers

Document ID: 113606

PDF Downloads Wireless BYOD for FlexConnect Deployment Guide

Feedback

Introduction

Mobile devices are becoming more computationally powerful and popular among consumers. Millions of these devices are sold to consumers with high-speed Wi-Fi allowing users to communicate and collaborate. Consumers are now accustomed to the productivity enhancement these mobile devices bring into their lives and are seeking to bring their personal experience into the workspace. This creates the functionality needs of a Bring Your Own Devices (BYOD) solution in the workplace.

This guide provides the branch deployment for the BYOD solution. An employee connects to a corporate SSID using his/her new iPad, gets redirected to a self-registration portal, the Identity Services Engine (ISE) authenticates the user against the corporate Active Directory (AD), and downloads a certificate with embedded iPad MAC address and username to the iPad along with a supplicant profile that enforces the use of EAP-TLS as a method for dot1x connectivity. Based on the authorization policy in ISE, the user will then connect using dot1x and gain access to appropriate resources.

Prior to 7.2.11.0, ISE functionalities did not support local switching clients that associate via FlexConnect access points (APs). Introduced in 7.2.110.0, these ISE functionalities are now supported for FlexConnect APs for “local switching and centrally authenticated clients”. Furthermore, 7.2.110.0 integrated with ISE 1.1.1 will provide the BYOD solution features for wireless (not limited to):

• Device Profiling and Posture

• Device registration and supplicant provisioning

• On-boarding personal devices (provisioning for iOS or Android devices)

Note: Other devices such as PC or Mac wireless laptop and workstations, although supported, are not included in this guide.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Catalyst Switch

• Wireless LAN Controllers

• Wireless LAN Controller 7.2.110.0 and above software

• 802.11n APs in FlexConnect Mode

• ISE 1.1.1 and above software

• Windows 2008 AD with Certificate Authority

• DHCP server

• DNS server

• NTP

• Wireless Client Laptop, Smartphone, and Tablets (Apple iOS, Android, Windows, and Mac)

Note: Refer to 7.2.110 Release Notes for important information about this software release. Log in to the Cisco.com site for the latest release notes before loading and testing software.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Topology

In order to properly implement and test these features, a minimal network setup is required, similar to this diagram:

You need to simulate a location with a FlexConnect AP, a local / remote site with local DHCP, DNS, the WLC, and the ISE. The FlexConnect AP is connected to a trunk for testing local switching with multiple VLANs.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Device Registration and Supplicant Provisioning

A device must be registered for its native supplicant in order to be provisioned for dot1x authentication. Based on the right authentication policy, the user will be redirected to the guest page and authenticated using his/her employee credentials. The user is shown the device registration page, asking their device information. After the device information is entered, the device provisioning process begins. If the operating system (OS) is not supported for provisioning, the user is redirected to the asset registration portal in order to mark that device for MAB access. If the OS is supported, the enrollment process begins, which will configure the native supplicant of the device for dot1x authentication.

Asset Registration Portal

The asset registration portal is the element of the ISE platform that allows employees to initiate the onboarding of endpoints through an authentication and registration process.

Administrators are able to delete assets from the endpoints identities page. Each employee is able to edit, delete, and blacklist the assets they have registered. Blacklisting an endpoint assigns it to a blacklist identity group and an authorization policy is created to prevent blacklisted endpoints from accessing the network.

Self-Registration Portal

Employees are redirected to a portal during the CWA flow that allows them to enter their credentials, authenticate, and then proceed to enter the specifics of the particular asset they wish to register. This portal is called the “Self Provisioning Portal” and is similar to the Device Registration Portal. It allows the employees to enter the MAC address as well as a description of the endpoint that is meaningful to them.

Authentication and Provisioning

Once the employee selects the Self-Registration Portal, they are challenged to provide a set of valid employee credentials in order to proceed to the provisioning phase. Upon successful authentication, the endpoint can be provisioned into the endpoints database and a certificate is generated for the endpoint. A link on the page allows the employee to download the Supplicant Pilot Wizard (SPW).

FlexConnect for BYOD Matrix (WLC 7.2.110.0/ISE 1.1.1)

Provisioning for iOS (iPhone/iPad/iPod)

For EAP-TLS configuration, ISE follows Apple’s Over-the-Air (OTA) enrollment process:

• After successful authentication, the evaluation engine evaluates client-provisioning policies which results in a supplicant profile.

• If the supplicant profile is for the EAP-TLS setting, the OTA process begins with determining if the ISE is using self-signed or signed by an unknown CA. If one of the conditions is true, the user is asked to download the certificate of either ISE or CA before the enrollment process can begin.

• For other EAP methods, ISE will simply push the final profile upon successful authentication.

Provisioning for Android

Due to security considerations, the Android agent must be downloaded from the Android marketplace site and cannot be provisioned from ISE. Cisco would upload a release candidate version of the wizard into the Android marketplace using the Cisco Android marketplace publisher account.

The provisioning process:

• Cisco creates the Android package using the SDK and creates an Android package which has a .apk extension.

• Cisco uploads a package into the Android marketplace.

• The user configures the policy in client provisioning with the appropriate parameters.

• Upon .1x authentication failure, the end user is redirected to client provisioning service (after registration of device).

• The provisioning portal page provides a button to redirect the user to the Android marketplace portal where they can download the SPW.

• Cisco SPW is launched in order to perform provisioning of the supplicant:

  • SPW discovers ISE and downloads the profile from ISE.

  • SPW creates a cert/key pair for EAP TLS.

  • SPW makes an SCEP proxy request call to ISE and gets the certificate.

  • SPW applies the wireless profiles.

  • SPW triggers re-authentication if the profiles are applied successfully.

  • SPW exits.

Dual SSID Wireless BYOD Self-Registration

This is the process for dual SSID wireless BYOD self-registration:

• The user associates to the Guest SSID.

• The user opens a browser and is redirected to the ISE CWA Guest portal.

• The user enters their Employee username and password in the Guest portal.

• ISE authenticates the user, and, based on the fact that they are an employee and not a guest, is directed to the Employee Device Registration guest page.

• The MAC address is pre-populated in the Device Registration guest page for DeviceID, and the user enters a description and accepts the AUP (if required).

• The user selects "accept" and begins downloading and installing the supplicant provisioning wizard.

• The user’s device’s supplicant is provisioned as well as any certificates.

• CoA occurs, the device re-associates to the CORP SSID, and Authenticates via EAP-TLS (or whatever auth method is in use for that supplicant).

Single SSID Wireless BYOD Self-Registration

There would be a single SSID (“CORP”) for corporate access (not including a Guest SSID) that supported both PEAP and EAP-TLS and this scenario would occur:

• The user associates to CORP.

• The user enters into the supplicant their Employee username and password for the PEAP authentication.

• ISE authenticates the user, and, based on the PEAP method, provides an authorization policy of accept with redirect to the Employee Device Registration guest page.

• The user opens a browser and is redirected to the Employee Device Registration guest page.

• The MAC address is pre-populated in the Device Registration guest page for DeviceID, and the user enters a description and accepts the Acceptable Use Policy.

• The user selects Accept and begins downloading and installing the supplicant provisioning wizard.

• The user’s device’s supplicant is provisioned aa well as any certificates.

• CoA occurs, the device re-associates to the CORP SSID, and Authenticates via EAP-TLS.

Feature Configuration

Complete these steps:

1. In this guide, the WLC version must be 7.2.110.0 and above.

   

2. Go to Security > RADIUS > Authentication, and add the RADIUS server to the WLC.

   

3. Add the ISE 1.1.1 to WLC:

   • Enter a Shared Secret.

   • Set Support for RFC 3576 to Enabled.

   

4. Add the same ISE server as a RADIUS accounting server.

   

5. Create a WLC Pre-Auth ACL which will be used in the ISE policy at a later step. Permit all traffic to/from the ISE and also client traffic during supplicant provisioning.

   Go to WLC > Security > Access Control Lists > FlexConnect ACLs, and create a new FlexConnect ACL (in this example, ACL-REDIRECT).

   

6. In the ACL rules:

   1. For the first rule (sequence 1):

      • Set Source to Any.

      • Set IP (ISE address)/ Netmask 255.255.255.255.

      • Set Action to Permit.

      

   2. For the second rule (sequence 2): source IP (ISE address)/ mask 255.255.255.255, to ANY with action also to Permit.

      

7. Create a new FlexConnect Group (in this example, Flex1):

   1. Go to FlexConnect Group > WebPolicies tab.

   2. Under the WebPolicy ACL field, click Add, and select ACL-REDIRECT or the FlexConnect ACL created previously.

   3. Confirm that it populates the WebPolicy Access Control Lists field.

   

8. Click Apply and Save Configuration.

WLAN Configuration

Complete these steps in order to configure the WLAN:

1. Create an Open WLAN SSID (for the Dual SSID example)

   • Enter a WLAN name: in this example, DemoCWA.

   • Select the Enabled option for Status.

   

2. Go to the Security tab > Layer 2 tab, and set these attributes:

   • Layer 2 Security: None

   • MAC Filtering: Enabled (check box)

   • Fast Transition: Disabled (box is not checked)

   

3. Go to the AAA Servers tab, and set these attributes:

   • Authentication and Account Servers: Enabled

   • Server 1: <ISE IP address>

   

4. Scroll down from the AAA Servers tab. Under Authentication priority order for web-auth user, make sure that RADIUS is included (that is, remove the others).

   

5. Go to the Advanced tab, and set these attributes:

   • Allow AAA Override: Enabled

   • NAC State: Radius NAC

   

6. Scroll down in the Advanced tab, and set FlexConnect Local Switching to Enabled.

   

7. Click Apply and Save Configuration.

   

8. Create a 802.1X WLAN SSID (in this example, Demo1x) for single and dual SSID scenarios.

   

9. Go to the Security tab > Layer 2 tab, and set these attributes:

   • Layer 2 Security: WPA+WPA2

   • Fast Transition: Disabled (box is not checked)

   • Authentication Key Management:

     • 802.1X: Enable

   

10. Go to the Advanced tab and set these attributes:

    • Allow AAA Override: Enabled

    • NAC State: Radius NAC

    

11. Scroll down from the Advanced tab and set FlexConnect Local Switching to Enabled.

    

12. Click Apply and Save Configuration.

    

13. Confirm that both of the new WLANs were created.

    

FlexConnectAP Configuration

Complete these steps:

1. Go to WLC > Wireless, and click the target FlexConnect AP.

   

2. Click the FlexConnect tab.

   

3. Enable VLAN Support:

   • Set the Native VLAN ID.

   • Click VLAN Mappings.

   

4. Set the VLAN ID for the SSID for local switching, in this example the local site VLAN is 21.

   

5. Click Apply and Save Configuration.

ISE Configuration

Complete these steps:

1. Log in to the ISE server <https://ise>.

   

2. Select Administration > Identity Management > External Identity Sources.

   

3. Click Active Directory.

   

4. In Connection:

   1. Add the Domain Name (for example, Corp..), and change the Identity Store Name default to AD1.

   2. Click Save Configuration.

   3. Click Join, and provide the AD Administrator account username and password required to join.

   4. The Status must show GREEN. Check Connected to AD.

   

5. Perform a basic connection test to the AD using an existing domain user.

   

6. If the connection to the AD is successful, a dialog will confirm that the password is correct.

   

7. Go to Administration > Identity Management > External Identity Sources:

   1. Click Certificate Authentication Profile.

   2. Click Add for a new Certificate Authentication Profile.

   

8. Give the CAP a name (for example CertAuth).

   1. Principal Username X509 Attribute is Common Name.

   2. Click Submit when finished in order to save.

   

9. Confirm that the new CAP is added.

   

10. Go to Administration > Identity Management > Identity Source Sequences, and click Add .

    

11. Give the sequence a name (for example, TestSequence).

    

12. Scroll down to Certificate Based Authentication:

    1. Check the box for Select Certificate Authentication Profile.

    2. Select CertAuth (or the CAP profile created in earlier steps).

    

13. Scroll down further to Authentication Search List:

    1. Move AD1 from Available to Selected.

    2. Click the up button in order to move AD1 to the top priority.

    

14. Click Submit in order to save.

    

15. Confirm that the new Identity Source Sequence is added.

    

16. Use the AD to authenticate My Devices Portal. Go to ISE > Administration > Identity Management > Identity Source Sequence > and Edit MyDevices_Portal_Sequence.

    

17. Add AD1 to the Selected list, and move it to the top (first order selected).

    

18. Click Save.

    

19. Confirm the change for MyDevices_Portal_Sequence, and that the Identity Store sequence contains AD1.

    

20. Repeat the steps for adding AD1 for Guest_Portal_Sequence, and Save.

    

21. Confirm that Guest_Portal_Sequence contains AD1.

    

22. Add the Wireless LAN Controller (WLC) to Network Access Device (WLC):

    1. Go to Administration > Network Resources > Network Devices.

    2. Click Add.

    

23. Add the WLC name, IP address, Subnet Mask, and so on.

    

24. Scroll down to Authentication Settings and enter the Shared Secret (must match WLC RADIUS shared secret).

    

25. Click Submit.

26. Go to ISE > Policy > Policy Elements > Results.

    

27. Expand Results to Authorization, click Authorizing Profiles, and click Add for a new profile.

    

28. Give this profile these values:

    • Name: CWA

      

    • Web Authentication: Checked/Enabled

      • Value: Centralized

      • ACL: ACL-REDIRECT (must match WLC pre-auth ACL name)

      • Redirect: Default

    

29. Click Submit, and confirm that the new authorization profile has been added.

    

30. Click Add in order to create a new authorization profile.

    

31. Give this profile these values:

    • Name: Provision

      

    • Web Authentication: Checked/Enabled

      • Web Authentication Value: Supplicant Provisioning

        

      • ACL: ACL-REDIRECT (must match WLC pre-auth ACL name)

    

32. Click Submit, and confirm that the Provision authorization profile was added.

    

33. Scroll down in Results, expand Client Provisioning, and click Resources.

    

34. Select Native Supplicant Profile.

    

35. Give the Profile a name (for example, WirelessSP).

    

36. Set these values:

    • Connection Type: Wireless

    • SSID: Demo1x (from WLC 802.1x WLAN configuration)

    • Allowed Protocol: TLS

    • Key Size: 1024

    

37. Click Submit.

38. Click Save.

    

39. Confirm that the new profile has been added.

    

40. Go to Policy > Client Provisioning.

    

41. Enter these values for the provisioning rule of iOS devices:

    • Rule Name: iOS

    • Identity Groups: Any

      

    • Operating Systems: Mac iOS All

      

    • Results: WirelessSP (Native Supplicant Profile created earlier)

      

      • Go to Results > Wizard Profile (dropdown) > WirelessSP.

        

        

42. Confirm that the iOS Provisioning Profile was added.

    

43. On the right side of the first rule, locate the Actions drop-down, and select Duplicate below (or above).

    

44. Change the Name of the new rule to Android.

    

45. Change the Operating Systems to Android.

    

46. Leave other values unchanged.

47. Click Save (lower left screen).

    

48. Go to ISE > Policy > Authentication.

    

49. Modify the condition to include Wireless_MAB, and click on existing Wired_MAB in order to expand.

    

50. Click the Condition Name drop-down.

    

51. Select Dictionaries > Compound Condition.

    

52. Select Wireless_MAB.

    

53. To the right of the rule, next to "allow protocols" and "and…", select the arrow to expand.

    

54. Select these values from the drop-down list:

    • Identity Source: TestSequence (created earlier)

    • If authentication failed: Reject

    • If user not found: Continue

    • If process failed: Drop

    

55. Navigate to the Dot1X rule and change these values:

    

    • Condition: Wireless_802.1X

      

    • Identity Source: TestSequence

    

56. Click Save.

    

57. Go to ISE > Policy > Authorization.

    

58. There are default rules already configured from installation, such as Black List default, Profiled.., and Default, which can be ignored.

    

59. On the right side of second rule (Profiled Cisco IP Phones), next to Edit, click the down arrow in order to select Insert New Rule Below.

    

    A new Standard Rule # is added.

    

60. Change the Rule Name from ‘Standard..’ to OpenCWA. This rule will initiate the registration process on the open WLAN (dual SSID) if coming on to the guest network in order to have devices provisioned.

    

61. Click (+) for Condition(s), and click Select Existing Condition from Library.

    

62. Select Compound Conditions > Wireless_MAB.

    

63. In the AuthZ Profile, click on the +, and select Standard.

    

64. Select the standard CWA (Authorization Profile created earlier).

    

65. Confirm that the rule is added with the correct Conditions and Authorization.

    

66. Click Done (on the right side of the rule).

    

67. On the same rule, click the down arrow, and Insert New Rule Below.

    

68. This rule will be for PEAP (also used for single SSID scenario) in order to check if authenticated 802.1X without TLS, then the network supplicant provisioning will be initiated using the authorization profile created previously as ‘Provision’.

    Change the ‘Standard..’ rule name (for example, PEAPrule).

    

69. Change the Condition to Wireless_802.1X.

    

70. Locate the gear icon on the right side of the condition, and select Add Attribute/Value (this will be an AND, not OR condition).

    

71. Locate and select Network Access.

    

72. Select AuthenticationMethod:

    

    • AuthenticationMethod: Equals

      

    • Select MSCHAPV2.

      

    This is an example of the rule, and also confirm that the Condition is an AND.

    

73. In AuthZ Profile, select Standard > Provision (authorization profile created earlier).

    

    

74. Click Done.

    

75. To the right of the PEAP rule, click Insert New Rule Below for that rule. This rule will be used to permit access to registered devices with certificates installed.

    

76. Change the ‘Standard..’ rule name to something like AllowRule.

    

77. Under Condition(s), select Compound Conditions.

    

78. Select Wireless_802.1X.

    

79. Add an AND attribute.

    

80. Click on the gear/drop-down and click Add Attribute/Value.

    

81. Locate and select Radius.

    

82. Select Calling-Station-ID--[31].

    

83. Select Calling Station Equals.

    

84. Go to CERTIFICATE and select .

    

85. Select Subject Alternate Name.

    

86. For the AuthZ Profile, select Standard.

    

87. Select Permit Access.

    

88. Click Done.

    

    This is an example of what the rule should look like:

    

89. Locate the Default rule. Once there, you will need to change PermitAccess to Deny Access.

    

90. Click Edit in order to edit the Default rule.

    

91. Navigate to the existing AuthZ profile of PermitAccess.

    

92. Select Standard.

    

93. Select DenyAccess.

    

94. Confirm that the Default rule has "DenyAccess", if no matches are found.

    

95. Click Done.

    

    This is an example of the main rules that are required in this test, applicable for a Single SSID or Dual SSID scenario:

    

96. Click Save.

    

97. Configure the ISE server with a SCEP profile. Go to ISE > Administration > System > Certificates.

    

98. In Certificate Operations, click SCEP CA Profiles.

    

99. Click Add.

    

100. Enter these values for this profile:

     • Name: mySCEP (as an example)

     • URL: https://ca-server/CertSrv/mscep/ (check your CA server configuration)

     

101. Click Test Connectivity in order to test connectivity of the SCEP connection.

     

102. This response shows that the server connectivity is successful:

     

103. Click Submit.

     

104. The CA Profile confirms that it was created successfully.

     

105. Confirm that the SCEP CA Profile is added.

     

User Experience - Provisioning iOS

Dual SSID

This section covers Dual SSID, including connecting to the guest to be provisioned and connecting to a 802.1x WLAN.

Complete these steps:

1. From iPhone/iPad/iPod, go to Wi-Fi Networks, and select DemoCWA (configured open WLAN on WLC).

   

2. Open the Safari browser on the iOS device, and visit a reachable URL (for example, internal/external webserver). ISE will redirect to the portal. Click to Continue.

   

3. You are redirected to the Guest portal for login.

   

4. Log in with an AD user account and password. Install the CA Profile when prompted.

   

5. Click Install trusted certificate of the CA server.

   

6. Click Done when the profile is completely installed.

   

7. Return to the browser, and click Register (note the Device ID containing the MAC address of the device).

   

8. Once you click Register, another Profile will be prompted for install, Click Install.

   

9. Click Install Now.

   

10. After the process is completed, the WirelessSP profile will confirm that it is installed. Click Done.

    

11. Go to Wi-Fi Networks, and change to Demo1x. The device is now connected using TLS.

    

12. On ISE, go to Operations > Authentications. The events would show the series in which the device is connected to the open guest network, and then goes through the registration process with supplicant provisioning, finally allowing permit access after registration.

    

13. Go to ISE > Administration > Identity Management > Groups > Endpoint Identity Groups > RegisteredDevices. The MAC address would have been added to the database.

    

Single SSID

This section pertains to Single SSID and describes how to connect directly to 802.1x WLAN, provide AD username/password to authenticate with PEAP, and provision via guest and provisioning then reconnect with TLS.

Complete these steps:

1. If using the same iOS device, remove the endpoint from the Registered Devices.

   

2. On the iOS device, go to Settings > Generals > Profiles. Remove the profiles installed in this test. As an example, these profiles were installed in a previous setup:

   

3. Click Remove in order to remove them.

   

   

4. Use the existing (cleared) device, or, with a new iOS device, connect directly to the 802.1x.

5. Connect to Dot1x, enter a Username and Password, and click Join.

   

6. Repeat Step 90 from the ISE Configuration section onwards, until the appropriate profiles have been installed completely.

7. Go to ISE > Operations > Authentications in order to monitor the process. Here is an example of the client connected directly to 802.1X WLAN, is provisioned, disconnects, and reconnects to the same WLAN using TLS:

   

8. If you check the WLC > Monitor > [Client MAC], from the client detail, you will see that the client is in the RUN state, its Data Switching is set to local, with Authentication being Central This is true for clients connecting to FlexConnect AP.

   

User Experience - Provisioning Android

Dual SSID

This section pertains to Dual SSID, including connecting to the guest to be provisioned, and then to a 802.1x WLAN.

Connecting the Android device is very similar to the iOS device (single or dual SSID), the difference being that the Android device requires access to the Internet to access Google Marketplace (or updated as Google Play) in order to download the supplicant agent.

Complete these steps:

1. In the Android device (such as this one, the Samsung Galaxy), connect via Wi-Fi to DemoCWA, and open the guest WLAN.

   

2. Accept any certificate in order to connect to the ISE.

   

3. Enter a Username and Password at the Guest Portal in order to log in.

   

4. Click Register, and the device attempts to reach the Internet in order to access Marketplace. Add any additional rules to the Pre-Auth ACL (for example, ACL-REDIRECT) in the controller in order to allow access to the Internet.

   

5. If reachable, Google lists the Android App Cisco Network Setup. Click INSTALL.

   

6. Sign in to Google, and click INSTALL.

   

7. Click OK.

   

8. On the Android device, navigate to the installed app Cisco SPW. Open this app.

   

9. Make sure that you are still logged in to the guest portal from your Android Device.

10. Click Start in order to start the assistant.

    

11. The Cisco SPW will begin to install certificates.

    

12. When prompted, set the password for credential storage.

    

13. Cisco SPW returns with a certificate name which contains the user key and certificate. Click OK in order to confirm.

    

14. Cisco SPW will continue and prompt another certificate name (such as the one depicted here), which contains the CA certificate. Click OK in order to continue.

    

15. The Android device is connected.

    

My Devices Portal

My Devices Portal allows a user to blacklist previously registered device(s) in the event if a device is lost/stolen. It also allows users to re-enlist if needed.

Complete these steps:

1. In order to log in to My Devices Portal, open a browser, connect to https://ise-server:8443/mydevices (note the port number 8443), log in with an AD account.

   

2. Locate the device under Device ID, and click Lost? in order to initiate blacklisting of a device.

   

3. When ISE prompts a warning, click Yes.

   

4. ISE will confirm successfully marking the device as lost.

   

5. Any attempt to connect to the network using the previously registered device will be blocked, even if there is a valid certificate installed. Here is an example of a blacklisted device that is failing authentication:

   

6. An administrator can go to ISE > Administration > Identity Management > Groups, click Endpoint Identity Groups > Blacklist, and see the device being blacklisted.

   

7. In order to reinstate a blacklisted device, from the My Devices Portal, click Reinstate for that device.

   

8. When ISE prompts a warning to proceed, click Yes.

   

9. ISE will confirm that the device has been successfully reinstated. You can repeat the test of connecting the reinstated device back to the network. This time, the device will be permitted.

   

Reference - Certificates

In addition to requiring a valid CA root certificate, ISE needs a valid certificate signed by CA.

Complete these steps:

1. Go to ISE > Administration > System > Certificates, click Local Certificates, and click Add.

   

2. Select Generate Certificate Signing Request (CSR).

   

3. Enter the Certificate Subject CN=<ISE-SERVER hostname.FQDN>. Everything else is default or whatever is required by your CA setup.

   

4. ISE verifies that the CSR was generated.

   

5. In order to access the CSR, click the Certificate Signing Requests operations.

   

6. Select the CSR recently created, and Export it to a file.

   

7. ISE exports this to a .pem file. Save this to the local machine.

   

8. Locate and open the ISE certificate file with a text editor.

   

9. Copy the entire content of the certificate.

   

10. Connect to the CA server (in this example, an MS 2008 CA via https://CA/certsrv), and log in with an administrator account.

    

11. Click Request a certificate.

    

12. Click advanced certificate request.

    

13. Click Submit a certificate request by using a base….

    

14. Paste the content from the ISE cert .pem file into the saved request field, make sure the Certificate Template is Web Server, and click Submit >.

    

15. Click Download certificate.

    

16. Save this certnew.cer. This will be used to bind with ISE later.

    

17. From ISE Certificates, go to Local Certificates, click Add > Bind CA Certifcate.

    

18. Browse to the certificate that was saved to the local machine in the previous step, and complete these steps:

    1. Enable Protocol: EAP and Management Interface (both checked)

    2. Click Submit.

    3. ISE may take a moment to restart services (several minutes or more).

    

19. Go back to the landing page of the CA (https://CA/certsrv/), and click Download a CA certificate, certificate chain, or CRL.

    

20. Click Download CA certificate.

    

21. Save this to the local machine.

    

22. With the ISE server online, go to Certificates, and click Certificate Authority Certificates.

    

23. Click Import.

    

24. Browse for the CA certificate, select Trust for client authentication (checked), and click Submit.

    

25. Confirm that the new trusted CA certificate is added.

    

Cisco Support Community - Featured Conversations

Related Information

• Cisco Identity Services Engine Hardware Installation Guide, Release 1.0.4
• Cisco 2000 Series Wireless LAN Controllers
• Cisco 4400 Series Wireless LAN Controllers
• Cisco Aironet 3500 Series
• Flex 7500 Wireless Branch Controller Deployment Guide
• Bring Your Own Device - Unified Device Authentication and Consistent Access Experience
• Wireless BYOD with Identity Services Engine
• Technical Support & Documentation - Cisco Systems