How to Configure ISE for Device Onboarding on a BYOD Network

This document describes how to onboard mobile devices via ISE for a BYOD network.  The network has Wireless LAN Controllers (WLCs) on the internal network that are configured with Mobility Anchors to WLCs in the DMZ.  Users will connect to the BYOD wlan.  If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password.  Once they navigate to a web page, the user will be redirected to the BYOD Portal.  The BYOD Portal will walk the user through the process of onboarding their device, which will configure the WLAN profile and install a certificate on their device.  Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA).  This will deauthenticate the client and they will immediately re-associate to the wlan.  However, this time they will have the certificate, and be granted access to the network.

The scope of this document is limited to configuring the onboarding process.  It assumes that ISE is already up and running, configured with certificates, and integrated with Active Directory.

802.1X authentications are made from the foreign or internal controller.  However, clients (which are anchored in the DMZ) will need to be able to access the ISE Portal web page as well as resolve internal DNS names.  Please keep that in mind for any firewall changes that may need to be made.

Note* Android devices will have to log into Google Play and download Cisco Network Setup Assistant before onboarding their device with this method.

Here is a basic outline:

  • Configure the Native Supplicant Profile that gets pushed to the client
  • Configure the BYOD Portal that handles the onboarding
  • Create Authentication Policy that allows users to log in
  • Configure Authorization Policy that permits access to resources
  • Configure ACLs on WLC, which handles the redirection to the BYOD Portal
  • Allow clients access to BYOD Portal through the firewal, depending on your setup

 

Configure the Certificate Template

This will be the ISE self-signed certificate that is pushed to the mobile device

Administration > System > Certificates > Certificate Authority > Certificate Templates

Highlight EAP_Authentication_Certificate_Template and Click Duplicate

Enter a name (BYOD_EAP_Authentication_Certificate_Template)

Edit the Organizational Unit and Organization

Set SCEP RA Profile to ISE Internal CA

Click Submit

 

Add a Native Supplicant Profile

This is the wireless profile the device will use to connect to the wlan once the device is onboarded.

Policy > Policy Element > Results > Client Provisioning > Resources

Click Add > Native Supplicant Profile

Enter a Name (BYOD_EAP_TLS_NSP)

Click Add under Wireless Profile

Enter the SSID

Set Security to WPA2 Enterprise

Set Allowed Protocol to TLS

Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template

Click Submit

 

Configure the Client Provisioning Policy

This determines which Native Supplicant Profile gets installed on which type of device.

Policy > Client Provisioning

Edit each type of device with the Native Supplicant Profile that you created earlier

(Set Results to BYOD_EAP_TLS_NSP)

Click Save

 

Configure the BYOD Portal

This is the web page the user is redirected to in order to “onboard” their device.

Administration > Device Portal Management > BYOD

Click Create

Enter a Portal Name (BYOD WEB PAGE)

You can pretty much use the default settings unless you wish to customize.

 

Configure Certificate Authentication Profile as External Identity Source

Administration > Identity Management > External Identity Sources > Certificate Authentication Profile

Click Add

Enter a Name (For instance, wifiworkshop_Cert_CommonName)

Set Use Identity from “Subject – Common Name”

Click Save

 

Configure Active Directory External Identity Source

Administration > Identity Management > External Identity Sources > Active Directory

Click Add

Enter the Join Point Name (For instance, wifiworkshop_AD)

Enter the Active Directory Domain

Click Submit

Once the Join Point is created, Click the Groups Tab

Add AD Groups of users who will be allowed to onboard their device.

 

Create an Authentication Policy

Note* This assumes you are using a Policy Set named Wireless Devices.  Policy Sets can be configured from Administration > System > Settings > Policy Sets

Policy > Policy Sets > Wireless Devices

Create an Authentication Policy above the default rule

Set the Condition to Radius:Called-Station-ID equals SSID

Set the Allowed Protocols to Default Network Access

Note* You really only need EAP-TLS or PEAP.  You can create a custom Allowed Protocols List from Policy > Policy Elements > Results > Authentication > Allowed Protocols

Click the drop-down arrow next to Actions and Insert Row Above the Default Rule

Click the Expression Builder next to the Condition (looks like two windows)

Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “wifiworkshop_Cert_CommonName”

Click the drop-down arrow next to Actions and Insert Row Above the Default Rule

Click the Expression Builder next to the Condition (looks like two windows)

Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “wifiworkshop_AD”

Set the Default Rule to Deny Access

 

Create the Authorization Profile

Work Centers > BYOD > Policy Elements > Results > Authorization Profiles

Click Add

Enter a Name (BYOD_NSP_AuthZ_Profile)

Select Web Redirection (CWA, MDM, NSP, CPP)

Set it to Native Supplicant Provisioning

Manually type in BYOD_REDIRECT for the ACL

(You’ll create the ACL on the WLC later)

Set the Value BYOD WEB PAGE

 

Create a Specific Authorization Profile for Android Devices

Work Centers > BYOD > Policy Elements > Results > Authorization Profiles

Click Add

Enter a Name (BYOD_NSP_Google_AuthZ_Profile)

Select Web Redirection (CWA, MDM, NSP, CPP)

Set it to Native Supplicant Provisioning

Manually type in BYOD_Google_REDIRECT for the ACL

(You’ll create the ACL on the WLC later)

Set the Value BYOD WEB PAGE

 

Create a Specific Authorization Policy for Android Devices

Work Centers > BYOD > Policy Sets

Create a new Authorization Policy Rule above the default rule

Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android

Set Permissions to BYOD_NSP_Google_AuthZ_Profile

 

Create the Authorization Policy for other devices (IOS, Windows, etc)

Work Centers > BYOD > Policy Sets

Create a new Authorization Policy Rule above the default rule

Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2

Set Permissions to StLukes_NSP_AuthZ_Profile

 

Add the ACL to the WLC

Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal

Log into the WLC

Security > Access Control Lists > Access Control Lists

Click New

Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)

Click on the BYOD_DIRECT acl and click Add New Rule

Create Rule to permit traffic all traffic outbound from controller

Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes

Create Rule to permit UDP traffic to DNS

Create Rule to permit UDP traffic to DHCP  (I believe DHCP is allowed by default, so you may not need this rule.)

Deny all other traffic (to be redirected)

Save Configuration

 

Repeat this process on all of your controllers.  Creating ACLs in the WLC GUI is very time consuming.  Once you’ve created the ACL on the first WLC, you can copy and paste from the CLI.

To Copy and Paste ACL from WLC CLI:

Log into the WLC CLI

Enter the following command:

grep include acl “show run-config commands”

Copy and paste all commands from one controller to another.

Note* Must be in config mode to paste into new controller.

save config

 

Configure the Firewall for BYOD Clients

BYOD clients will need to be able to resolve internal host records in DNS, especially the ISE Policy Service Nodes.

BYOD clients will also need to be able to access the ISE PSNs on port 8443 in order to display the onboarding web page.

Any additional resources on your internal network that you want BYOD clients to access, will need to be opened up on the firewall as well.