Step2: Browse to Device management > Networks > Wifi and add two Wifi Settings, one for provisioning SSID and other for EAP-TLS.
Server Certificate Authority: While configuring EAP-TLS Wifi settings, if you are using an internal CA for EAP, the CA certificate chain should be uploaded to the admin console via Device Management > Network > Certificates. Once the CA chain is uploaded, it has to be mapped under Server Certificate Authority. If a third party CA is being used, we do not have to import CA chain to admin console and select the option "Use any default Certificate Authority" from the drop down of Server certificate Authority.
Issuer Pattern/Subject Pattern: At least one attribute from Issuer pattern or Subject pattern should match the attributes of the certificate installed.
MAB SSID WifI setting: Chrome-MAB
EAP-TLS SSID Wifi Setting: Chrome-TLS
Step3: Browse to Device Management > Chrome > User Settings > Apps and Extensions, in the force-Installed Apps and extensions, click Manage Force-Installed Apps. Search for "Cisco Network Setup Assistant" in chrome webstore and add it.
Step 1: Authentication rules for MAB and EAP_TLS.
Step 2: Creating Authorization profile for guest redirect and authorization rules for CWA and EAP-TLS.
Step 3: If subject pattern attribute is selected while creating Wifi settings on the Google admin console, edit the certificate template to match the subject pattern attribute. In this example "Organization" is being matched to "Cisco".
Certificate Template with Organization as Cisco
Step 4: Create or Use pre-existing NSP-profile
Step 5: Map the created NSP-profile to Client provisioning rule. Browse to Policy > Client provisioning
Step 6: Enable BYOD under Guest portal Settings. Browse to Work Centers > Guest Access > Configure > select the guest portal and edit BYOD settings. Enable "Allow Employees to use personal devices on the network"
Step 1: Create SSIDs for MAB and Dot1x matching the WiFi settings created on Admin console. In this example, "Chrome-MAB" is created for MAB with MAC filtering enabled and "Chrome-TLS" is created for 802.1x.
Step 2: Create Redirect ACL:
If the Cisco Network Setup Assistant is pushed to the Chromebook out of band then you just need to provide access to DNS, DHCP and ISE servers in the redirect ACL. This scenario is typically seen if you are registering the Chromebook to the domain before connecting to provisioning SSID. But if the scenario is to download the Cisco Network Setup Assistant by connecting to the provisioning SSID, then you need to provide access to DNS, ISE, Google servers whitelist and Google domains.
Note: DNS based ACLs are not supported on Foreign-Anchor scenarios and Flexconnect Local switching. For more information about DNS based ACL restrictions, please refer to this article:DNS Based ACL Restrictions
Redirect ACL if Cisco Network Setup Assistant is downloaded before connecting to provisioning SSID
Redirect ACL if Provisioning SSID is used to download Cisco Network Setup Assistant. Add url based ACL for Google server whitelist and Google domain.
Step 1: Login to the Chromebook with user that belongs to the domain created on the admin console.
If the device is already registered to the domain created, the device doesn't have to be wiped clean. But if the device is registered to another domain, reset the device and register the device to the new domain configured on the Google admin console.
During this test, Cisco Network Setup Assistant was downloaded before connecting to provisioning SSID.
Verify chrome://extensions to make sure Cisco Network Setup Assistant is present in extensions.
Step 2: Connect to MAB Wifi settings: Chrome-MAB
Step 3. Browse to get redirected to Guest portal page and enter user credentials ( user has to be in AD/ ISE internal user).
Step 4: After successful guest authentication, user is redirected to BYOD portal. Click Start.
Step 5: Add Device name and click Continue
Step 6: Click yes, when prompted to install certificate.
Step 7: Certificate gets installed.
Step 8: Reconnect to EAP-TLS SSID. In this example, its Chrome-TLS.
Additional Use Case
Onboarding by connecting to PEAP SSID
The following steps include only the config that is different from the config of "Onboarding by connecting to MAB SSID". For remaining steps please refer the configuration above.
Wifi Settings on Google admin console
Add Wifi proifle for PEAP SSID
ISE live logs shows the first MAB request, followed with successful Guest authentication and finally EAP-TLS success.
On the client side, user is connected to Chrome-TLS SSID. Certificates can be verified.
Debugs on ISE
In order to review logs on ISE, change logging to debug level for following components:
ca-service, client-webapp, portal, portal-session-manager, provisioning, runtime-AAA and prrt-JNI.
Logs to review for onboarding process - ise-psc.log and caservice.log
2016-06-30 15:33:57,009 DEBUG [http-bio-10.201.228.86-8445-exec-3] cisco.cpm.provisioning.cache.FlowStateCacheManager -:::john:- Initialized byod flow state for A4-C4-94-C5-1D-4A
2016-06-30 15:33:57,009 DEBUG [http-bio-10.201.228.86-8445-exec-3] cisco.cpm.provisioning.nsp.NSPProvisionRuntime -:::john:- BYODStatus:INIT
2016-06-30 15:34:03,475 DEBUG [http-bio-10.201.228.86-8445-exec-3] cpm.provisioning.admin.impl.ResourceManagerImpl -::::- CP:DEBUG Filename read = Cisco-ISE-Chrome-NSP.xml
2016-06-30 15:34:08,078 DEBUG [portal-http-service11] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Found incoming certifcate request for internal CA. Increasing Cert Request counter.
2016-06-30 15:34:08,120 DEBUG [portal-http-service11] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Key type is RSA, retrieving ScepCertRequestProcessor for caProfileName=ISE Internal CA
2016-06-30 15:34:08,121 INFO [portal-http-service11] com.cisco.cpm.scep.ScepCertRequestProcessor -::::- About to forward certificate request CN=john,OU=Example unit,O=Cisco,L=City,ST=State,C=US with transaction id Voz=qfw to server http://127.0.0.1:9444/caservice/scep
2016-06-30 15:34:09,664 DEBUG [portal-http-service13] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- Performing doGetCertInitial found Scep certificate processor for txn id Voz=qfw
2016-06-30 15:34:09,667 DEBUG [portal-http-service13] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Fetching the Certificate attributes to be added to an Endpoint.
2016-06-30 15:34:09,697 DEBUG [portal-http-service13] cisco.cpm.provisioning.cert.CertRequestValidator -::::- BYODStatus:COMPLETE_CERT_PROVISIONING
2016-06-30 15:34:09,709 DEBUG [portal-http-service13] cisco.cpm.provisioning.cert.CertRequestValidator -::::- Storing Endpoint Certificate in the Endpoint Certificate table. (mac a4:c4:94:c5:1d:4a)
2016-06-30 15:34:09,789 DEBUG [portal-http-service13] cisco.cpm.provisioning.cert.CertProvisioningFactory -::::- BYODStatus:COMPLETE_OTA_CWA
2016-06-30 15:34:08,160 DEBUG [caservice-http-94441441][scep job 16e8668cd9bf1081fbef07d951dfb11c631c7f19 0x4ff42b55 request] com.cisco.cpm.caservice.CrValidator -:::::- performing certificate request validation:
subject [CN=john,OU=Example unit,O=Cisco,L=City,ST=State,C=US]
2016-06-30 15:34:08,162 DEBUG [caservice-http-94441441][scep job 16e8668cd9bf1081fbef07d951dfb11c631c7f19 0x4ff42b55 request issuance] com.cisco.cpm.caservice.CertificateAuthority -:::::- CA SAN Extensions = GeneralNames:
2016-06-30 15:34:08,191 INFO [caservice-http-94441441][scep job 16e8668cd9bf1081fbef07d951dfb11c631c7f19 0x4ff42b55 request issuance] com.cisco.cpm.caservice.CertificateAuthority -:::::- issuing Certificate Services Endpoint Certificate:
class [com.cisco.cpm.caservice.CaResultHolder] : result: [CA_OK]
subject [C=US, ST=State, L=City, O=Cisco, OU=Example unit, CN=john]
validity [after [2016-06-29T15:34:08+0000] before [2018-06-30T15:34:08+0000]]
keyUsages [ digitalSignature nonRepudiation keyEncipherment ]
For console logs on Chromebook, type chrome://extensions on the browser. Check "Developer mode" on top right , scroll down to Cisco Network Setup section, click on Inspect Views: "background page" to open the logging console. Select the console tab.
Useful Chromebook Browser Commands
Chrome://extensions - To view Cisco Network Setup Assistant and to collect console logs.
Chrome://settings/certificates - To view certificates.
Chrome://downloads - To open Downloads folder.
1. Chromebook rejecting ISE server certificate during EAP authentication. Error: "Authentication Certificate rejected Locally"
Solution: If the CA chain of the EAP certificate is an internal CA, CA certificate has to be mapped for Server Certificate Authority while creating WiFi settings on the admin console. If Internal CA certificate is not mapped, Chromebook only checks for root certificates which are there by default.
2. Unable to download Cisco Network Setup Assistant, although ACL allows required access.
Solution: User has to be part of the domain. Verify if the user belongs to the domain by logging to the admin console.