Configure ISE: BYOD Wireless Network

Categories Cisco, ISE, Wireless
  • Configure a native supplicant profile for wireless clients
  • Configure a BYOD Portal for onboarding
  • Create the authentication policy that allows users to log in
  • Configure authorization policy that permits access to resources
  • Configure ACLs on WLC

Users will connect to the BYOD WLAN.  If the mobile device does not have a certificate, the user will be prompted to enter their Active Directory Username and Password. Once they complete the onboarding process, ISE will initiate a Change of Authorization (CoA). This will disconnect the client and they will immediately re-associate to the WLAN using the new certificate.

Certificate Template

This is the certificate that clients will download when attempting to connect to the SSID “MGMT”.

  • Go to: Administration > System > Certificates > Certificate Authority > Certificate Templates
  • Select EAP_Authentication_Certificate_Template and Click Duplicate
  • Enter the name BYOD_EAP_Authentication_Certificate_Template
  • Edit the Organizational Unit and Organization
  • Set SCEP RA Profile to ISE Internal CA
  • Click Submit

Native Supplicant Profile

This is the wireless profile the device will use to connect to the WLAN once the device is onboarded.

  • Go to: Policy > Policy Element > Results > Client Provisioning > Resources
  • Click Add > Native Supplicant Profile
  • Enter a Name (BYOD_EAP_TLS_NSP)
  • Click Add under Wireless Profile
  • Enter the SSID
  • Set Security to WPA2 Enterprise
  • Set Allowed Protocol to TLS
  • Set Certificate Template to BYOD_EAP_Authentication_Certificate_Template
  • Click Submit

Client Provisioning Policy

  • This determines which Native Supplicant Profile gets installed on which type of device.
  • Policy > Client Provisioning
  • Edit each type of device with the Native Supplicant Profile that you created earlier
  • (Set Results to BYOD_EAP_TLS_NSP)
  • Click Save

BYOD Portal

  • This is the web page the user is redirected to in order to “onboard” their device.
  • Administration > Device Portal Management > BYOD
  • Click Create
  • Enter a Portal Name (BYOD WEB PAGE)
  • Use the default settings.

CA for External Identity Sources

  • Administration > Identity Management > External Identity Sources > Certificate Authentication Profile
  • Click Add
  • Enter a Name (Ge_Cert_CommonName)
  • Set Use Identity from “Subject – Common Name”
  • Click Save

Active Directory External Identity Source

  • Administration > Identity Management > External Identity Sources > Active Directory
  • Click Add
  • Enter the Join Point Name (For instance, wifiworkshop_AD)
  • Enter the Active Directory Domain
  • Click Submit
  • Once the Join Point is created, Click the Groups Tab
  • Add AD Groups of users who will be allowed to onboard their device.

Authentication Policy

  • Policy > Policy Sets > Wireless Devices
  • Create an Authentication Policy above the default rule
  • Set the Condition to Radius:Called-Station-ID contains Mgmt
  • Set the Allowed Protocols to Default Network Access
  • Set Network Access:AuthenticationMethod EQUALS x509_PKI to use “Ge_Cert_CommonName”
  • Click the drop-down arrow next to Actions and Insert Row Above the Default Rule
  • Set Network Access:AuthenticationMethod EQUALS MSCHAPv2 to use “Ge”
  • Set the Default Rule to Deny Access

Authorization Profile

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Create an ACL named BYOD_REDIRECT
  • Set the Value BYOD WEB PAGE

Authorization Profile for Android Devices

  • Work Centers > BYOD > Policy Elements > Results > Authorization Profiles
  • Click Add
  • Enter a Name (BYOD_NSP_Google_AuthZ_Profile)
  • Select Web Redirection (CWA, MDM, NSP, CPP)
  • Set it to Native Supplicant Provisioning
  • Manually type in BYOD_Google_REDIRECT for the ACL
  • (You’ll create the ACL on the WLC later)
  • Set the Value BYOD WEB PAGE

Authorization Policy for Android Devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2 AND Session:Device-OS EQUALS Android
  • Set Permissions to BYOD_NSP_Google_AuthZ_Profile

Authorization Policy for all other devices

  • Work Centers > BYOD > Policy Sets
  • Create a new Authorization Policy Rule above the default rule
  • Set the Condition to Network Access:Authentication Method EQUALS MSCHAPV2
  • Set Permissions to Ge_NSP_AuthZ_Profile

Add the ACL to the WLC

  • Deny statements in the ACL trigger the redirect on WLC. Create permit statements to allow traffic to the Policy Service Nodes and DNS (not redirected). Create a rule for each direction. Create deny statements for web traffic, so that they get redirected to the BYOD Portal
  • Log into the WLC
  • Security > Access Control Lists > Access Control Lists
  • Click New
  • Name it BYOD_DIRECT (or whatever you manually named the ACL in the Authorization Rule)
  • Click on the BYOD_DIRECT acl and click Add New Rule
  • Create Rule to permit traffic all traffic outbound from controller
  • Create Rule to permit TCP traffic on 8443 to all Policy Service Nodes
  • Create Rule to permit UDP traffic to DNS
  • Create Rule to permit UDP traffic to DHCP  (I believe DHCP is allowed by default, so you may not need this rule.)
  • Deny all other traffic (to be redirected)
  • Save Configuration

Joining a 2702i Cisco AP to Virtual WLC on 8.10

Categories Cisco, Wireless

Issue

  • From the WLC GUI the AP is stuck in downloading state.
  • While consoled into the access point we can see the following errors in the console output.
<!--  /* Font Definitions */  @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:3 0 0 0 1 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-469750017 -1073732485 9 0 511 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-536869121 64767 1 0 415 0;}  /* Style Definitions */  p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:8.0pt; margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:8.0pt; line-height:107%;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> 
 ERROR: Image is not a valid IOS image archive.
 Download image failed, notify controller!!! From:7.6.100.0 to 0.0.0.0, FailureCode:3  

<!--  /* Font Definitions */  @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:3 0 0 0 1 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-469750017 -1073732485 9 0 511 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-536869121 64767 1 0 415 0;}  /* Style Definitions */  p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:8.0pt; margin-left:0in; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:8.0pt; line-height:107%;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} --> 
 *Feb 13 15:48:34.219: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.30.50perform archive download capwap:/ap3g2 tar file
 *Feb 13 15:48:34.223: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
 *Feb 13 15:48:34.223: Loading file /ap3g2...

Resolution

  • The root cause of the issue is 8.5 and later versions need to use c3700 / cx700 to join ME. If your AP version is lower than 8.5 you need to upgrade to ap3g2 and then upgrade to c3700.
  • After that, you can successfully join the WLC.

TFTP Server

  • For my TFTP server I am using a Synology NAS and running the TFTP Service:
  • How to setup Synology NAS TFTP

Cisco AP Process

  • Power the AP off and hold down the mode button.
  • While the mode button is pressed down hold it and power the AP back on.
  • Continue to hold the mode button down until the AP’s light goes solid red.
  • Once the AP is red lit, let go and console into the AP using your console cable.

Commands

  • set IP_ADDR <DEVICE IP ADDRESS>
  • set NETMASK <SUBNET>
  • set DEFAULT_GATEWAY <GATEWAY IP>
  • tftp_init
  • ether_init
  • flash_init
  • tar -xtract tftp://<TFTP SERVER IP>/<.TAR FILE> flash:
  • set BOOT flash:/<.TAR FILE>

Example

set IP_ADDR 10.0.30.53
 set NETMASK 255.255.255.0
 set DEFAULT_ROUTER 10.0.30.1
 tftp_init
 ether_init
 flash_init
 tar -xtract tftp://10.0.30.14/ap3g2-rcvk9w8-tar.153-3.JF10.tar flash:
 set BOOT flash:/ap3g2-rcvk9w8-mx
  • My TFTP server is 10.0.30.14
  • The subnet is a /24
  • The gateway is 10.0.30.1
  • initialize tftp, ether and flash services on the AP
  • Extract the tar file in the TFTP servers root directory (the file is named ap3g2-rcvk9w8-tar.153-3.JF10.tar ) and we are extracting the file into our flash directory.
  • ***DURING THE TAR EXTRACT PROCESS CONTINUE TO HIT SPACE BAR EVERY 1 – 2 SECONDS*** if not than you can receive a premature error.
  • Set the boot file location and let the AP sit for 5 minutes after finished booting new image you should be able to see it on the WLC and it will be in a Registered State.

WLC GUI – AFTERMATH

  • Now we can update the AP name, location, set a static IP for the device.
  • Hardcode the controllers.
  • The Access Point has now been successfully upgraded and is now registered to the Virutal wireless LAN controller.