Configure ISE: BYOD Wireless Network

Categories Cisco, ISE, Wireless
  • Configure a native supplicant profile for wireless clients
  • Configure a BYOD Portal for onboarding
  • Create the authentication policy that allows users to log in
  • Configure authorization policy that permits access to resources
  • Configure ACLs on WLC

Users will connect to the BYOD WLAN.  If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password. Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA). This will disconnect the client and they will immediately re-associate to the WLAN using the new certificate.

Certificate Template

This is the certificate that clients will download when attempting to connect to the SSID “MGMT”.

  • Go to: Administration > System > Certificates > Certificate Authority > Certificate Templates
  • Select EAP_Authentication_Certificate_Template and Click Duplicate
  • Enter the name BYOD_EAP_Authentication_Certificate_Template
  • Edit the Organizational Unit and Organization
  • Set SCEP RA Profile to ISE Internal CA
  • Click Submit

Native Supplicant Profile

This is the wireless profile the device will use to connect to the WLAN once the device is onboarded.

  • Go to: Policy > Policy Element > Results > Client Provisioning > Resources
  • Click Add > Native Supplicant Profile
  • Enter a Name (BYOD_EAP_TLS_NSP)
  • Click Add under Wireless Profile
  • Enter the SSID
  • Set Security to WPA2 Enterprise
  • Set Allowed Protocol to TLS
  • Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template
  • Click Submit

Client Provisioning Policy

  • This determines which Native Supplicant Profile gets installed on which type of device.
  • Policy > Client Provisioning
  • Edit each type of device with the Native Supplicant Profile that you created earlier
  • (Set Results to BYOD_EAP_TLS_NSP)
  • Click Save

BYOD Portal

  • This is the web page the user is redirected to in order to “onboard” their device.
  • Administration > Device Portal Management > BYOD
  • Click Create
  • Enter a Portal Name (BYOD WEB PAGE)
  • Use the default settings.

CA for External Identity Sources

  • Administration > Identity Management > External Identity Sources > Certificate Authentication Profile
  • Click Add
  • Enter a Name (Ge_Cert_CommonName)
  • Set Use Identity from “Subject – Common Name”
  • Click Save

Active Directory External Identity Source

  • Administration > Identity Management > External Identity Sources > Active Directory
  • Click Add
  • Enter the Join Point Name (For instance, wifiworkshop_AD)
  • Enter the Active Directory Domain
  • Click Submit
  • Once the Join Point is created, Click the Groups Tab
  • Add AD Groups of users who will be allowed to onboard their device.

Authentication Policy

  • Policy > Policy Sets > Wireless Devices
  • Create an Authentication Policy above the default rule
  • Set the Condition to Radius:Called-Station-ID contains Mgmt
  • Set the Allowed Protocols to Default Network Access
  • Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “Ge_Cert_CommonName”
  • Click the drop-down arrow next to Actions and Insert Row Above the Default Rule
  • Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “Ge”
  • Set the Default Rule to Deny Access

Authorization Profile

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Create an ACL named BYOD_REDIRECT
  • Set the Value BYOD WEB PAGE

Authorization Profile for Android Devices

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_Google_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Manually type in BYOD_Google_REDIRECT for the ACL
  • (You’ll create the ACL on the WLC later)
  • Set the Value BYOD WEB PAGE

Authorization Policy for Android Devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android
  • Set Permissions to BYOD_NSP_Google_AuthZ_Profile

Authorization Policy for all other devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2
  • Set Permissions to Ge_NSP_AuthZ_Profile

Add the ACL to the WLC

  • Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal
  • Log into the WLC
  • Security > Access Control Lists > Access Control Lists
  • Click New
  • Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)
  • Click on the BYOD_DIRECT acl and click Add New Rule
  • Create Rule to permit traffic all traffic outbound from controller
  • Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes
  • Create Rule to permit UDP traffic to DNS
  • Create Rule to permit UDP traffic to DHCP  (I believe DHCP is allowed by default, so you may not need this rule.)
  • Deny all other traffic (to be redirected)
  • Save Configuration