Lab Guide Ise 1 2 Byod Mdm

8/10/2019 Lab Guide Ise 1 2 Byod Mdm

1/55

Lab Overview

ISE_1.2_BYOD_Lab_Guide.docx 9/30/13 6:05 PM Page 1 of 55

Cisco ISE1.2BYODLab Guide

Developers and Lab ProctorsThis lab was created by SAMPG TME teams.

Lab OverviewThis lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE) in a

Bring Your Own Device (BYOD) environment. This lab covers the configuration of Cisco ISE 1.2 to

address the common requirements for BYOD and Integration with 3rd

party MDM servers. Students will beintroduced to the ISE My Devices Portal, which enables employees to self-manage their devices.

Students will experience ISE dual-SSID onboarding configuration and optional single-SSID configuration

to provision an Apple iPad. The students will learn how to manage their own devices in the My Devices

Portal by testing the blacklist and corporate wipe feature. The BYOD feature of ISE 1.2 requires an

Advanced License.

Lab participants should be able to complete the lab within the allotted time of 3 hours.

Lab ExercisesThis lab guide includes the following exercises:

Lab Exercise 1 : Configure My Devices Portal on ISE

Lab Exercise 2 : Configure ISE for Single SSID Wireless BYOD configuration

Lab Exercise 3 : Test and Verify the onboarding of a non-corporate Apple iPad

Lab Exercise 4 : Test and Verify the Device Blacklisting function of My Devices Portal

Lab Exercise 5 : Configure ISE for 3rd Party MDM integration.

Lab Exercise 6 : MDM policy configuration on 3rd Party MDM Server.

Lab Exercise 7 : Test and Verify 3rd

party MDM integration onboarding of a non-corporate Apple iPad

Lab Exercise 8 : Test and Verify the Corporate Wipe function on My Devices Portal


2/55

Product Overview: ISE


Optional Exercise A : Configure ISE for Wired MAB-to-PEAP Onboarding

Optional Exercise B : Test and Verify Wired MAB-to-PEAP Onboarding

Product Overview: ISEThe Cisco Secure Access and TrustSecis the Borderless Network access control solution, providing

visibility into and control over devices and users in the network.

Within this solution, Cisco Identity Service Engine (ISE) is a context aware identity-based platform that

gathers real-time information from the network, users, and devices. ISE then uses this information to

make proactive governance decisions by enforcing policy across the network infrastructure utilizing built

in standard based controls.

Lab Topology


3/55

Lab IP and VLANs


Lab IP and VLANs

Internal IP Addresses

Internal VLANs and IP Subnets

Device Name/Hostname IP Address

Access Switch (3560X) 3k-access.demo.local 10.1.100.1

Data Center Switch (3560CG) 3k-data.demo.local 10.1.129.3

Wireless LAN Controller (2504) wlc.demo.local 10.1.100.61

Wireless Access Point (2602i) ap.demo.local 10.1.90.x/24 (DHCP)

ASA (5515-X) asa.demo.local 10.1.100.2

ISE Appliance ise-1.demo.local 10.1.100.21

AD (AD/CS/DNS/DHCP) ad.demo.local 10.1.100.10

MobileIron VSP mobileiron.demo.local 10.1.100.15

NTP Server ntp.demo.local 128.107.212.175

LOB Web lob-web.demo.local

portal.demo.local, updates.demo.local

business.demo.local

it.demo.local

records.demo.local

10.1.129.12

10.1.129.8

10.1.129.9

10.1.129.10

10.1.129.11

LOB DB lob-db.demo.local 10.1.129.20

Admin (Management) Client

(also FTP Server)

admin.demo.local

ftp.demo.local

10.1.100.6

Windows 7 Client PC w7pc-guest.demo.local 10.1.50.x/24 (DHCP)

VLAN VLAN Name IP Subnet Description

10 ACCESS 10.1.10.0/24 Authenticated users or access network using ACLs

20 MACHINE 10.1.20.0/24 Microsoft machine-authenticated devices (L3 segmentation)

(29) 10.1.29.0/24 Interconnect subnet between ASA and Access switch

30 QUARANTINE 10.1.30.0/24 Unauthenticated or non-compliant devices (L3 segmentation)

40 VOICE 10.1.40.0/24 Voice VLAN

50 GUEST 10.1.50.0/24 Network for authenticated and compliant guest users

90 AP 10.1.90.0/24 Wireless AP VLAN

100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)

129 WEB 10.1.129.0/24 Line-of-business Web servers

130 DB 10.1.130.0/24 Line-of-business Database servers


4/55

Connecting to Lab Devices


Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs willfocus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.

Accounts and Passwords


Note: To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point foraccess to all the other lab components

Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer

Connectto a PODStep 1 Launch the Remote Desktop application on your system.

a. In the LabOps student portal, click on the Topologytabb. Click on the Admin PC, and then click on the RDP Clientoption that appears.

c. Clicking on this option should launch your RDP client and connect you to the Admin PC.

Login as admin/ ISEisC!!L

Note:All lab configurations can be performed from the Admin client PC.

Connect to ESX Server Virtual MachinesDuring the lab exercises, you may need to access and manage the computers running as virtual

machines.

Access To Account (username/password)

Access Switch (3560X) admin / ISEisC00L

Data Center Switch (3560X) admin / ISEisC00L

Wireless LAN Controller (2504) admin / ISEisC00L

ASA (5515-X) admin / ISEisC00L

ISE Appliances admin / ISEisC00L

AD (CS/DNS/DHCP/DHCP) admin / ISEisC00L

Web Servers admin / ISEisC00L

Admin (Management) Client admin / ISEisC00L

Windows 7 Client

(Local = W7PC-guest or W7PC-corp)

(Domain = DEMO)

W7PC-guest\admin / ISEisC00L

DEMO\admin / ISEisC00L

DEMO\employee1 / ISEisC00L


5/55



Step 1 From the Admin client PC, click the VMware vSphere Clienticon on the desktop

Step 2 Click OK when the VMware vSphere Client starts.

Step 3 You have the ability to power on, power off, or open the console (view) these VMs. To do so,

place the mouse cursor over VM name in the left-hand pane and right-click to select one of

these options:

Step 4 To access the VM console, select Open Console from the drop-down.

Step 5 To login to a Windows

VM, select Guest >

Send Ctrl+Alt+del

from the VM Console

menu:

Step 6 For this lab ensure that the following VMs are up and running.

p##_ad

p##_ise-1-base

p##_lob-web

p##_mobileiron

p##_w7pc-guest

## is the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad. The

VM w7pc-guest may be power on manually during the exercises.

Connect to Lab Device Command-Line Terminal

Step 1 To access the lab switches and ISE servers using SSH:


6/55

Pre-Lab Setup Instructions


a. From the Admin client PC, the PUTTY shortcut is on the taskbar. Click on the PuTTY

shortcut from the taskbar and it shows a list of devices and ISE servers.

b. Select the device that youd like to log into and double click on it.

c. If prompted, clickYes to cache the server host key and to continue login.

d. Login using the credentials listed in the Accounts and Passwords table.


Basic Connectivity TestTo perform a basic connectivity test for the primary lab devices, run the pingtest.bat script from

the Windows desktop of the Admin client PC:

Verify that ping succeeds for all devices tested by the script.

Note: Failure of lob-db to respond to ping is fine for this lab.

Basic ISE ConfigurationStep 1 Access the ISE administrative web interface.

a. On AdminPC, launch Mozilla Firefox web browser. Enter this URL in the address bar:

https://ise-1.demo.local/

Note:Accept/Confirm any browser certificate warnings if present.


7/55



Login with username adminand password !"#$%&!!'

Step 2 Join to the Active Directory.

a. Go to Administration > Identity Management > External Identity Sources .

b. Pick Active Directoryfrom the left-hand-side panel, and select ise-1in the right-hand-sideconnectiontab.

c. Click Joinwith AD domain admin credentials: administrator / ISEisC!!L

Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntpand show clockto check if the ntpservice is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.

Step 3 Disable log collection suppression

The log suppression is on by default to reduce monitoring data storage. In order to see all log

entries during troubleshooting, it can be disabled either globally or selectively per collection

filters. In this lab, we will disable it globally, as shown in (a) below.

a. Disable suppression globally

i. Go to Administration > System >

Settings, expand on Protocols, and

select RADIUS.

ii. Clear the checkboxes Suppress

Anomalous Clientsand SuppressRepeated Successful

Authentications.

iii. Click Savewhen done.

b. (For reference only)Disable suppression per collection filter

i. Go to Administration > System > Logging, expand on Collection Filters, and click on

Addfor a new filter.

ii. Select an attribute from the drop-down menu.


8/55



iii. Enter a value to match the attribute in (ii).

iv. Select Disable Suppression from the drop-down menu.

v. Click Submit.

WLC ConfigurationStep 1 Load WLC configuration for the lab

a. Login to WLC web interface https://wlc.demo.localas admin / ISEisC!!L

b. Navigate to the top menu COMMANDS. Then, choose Download Filefrom the left panel.

c. In Download file to Controllerpage, fill in the form as below:

Note:The ## in p##-wlc-4hr.txt is two-digit to be replaced with the assigned pod number; e.g. p02-wlc-4hr.txt for Pod 02.Note:The ftp server is the admin PC itself. The wlc configuration file is in the folder C:\inetpub\ftproot\.

d. Click on the button Downloadto start the file transfer. The following will pop-up after the

clicking the Downloadbutton.

Click OK.

e. Wait for transfer to finish and reset to complete.

Note:WLC will reset after downloading configuration from an external file server. During the reset, useping t wlcto monitor.

Step 2 Using Browser (FireFox), Navigate to https://wlc.demo.local/. Log-in using Credential

User Name: admin

Password: ISEisC00L

Note:SSID names will change per POD; e.g. POD 01 = n-p01-TS-OPEN and n-p01-TS-WPA2e

Step 3 Click and then SSID number 11

Step 4 Click the CheckBox Status

Step 5 Click

Step 6 Repeat step 3 to step 5 for SSID number 10

File Type Configuration

Configuration File Encryption !(unchecked)

Transfer Mode FTP

Server Details

IP Address 10.1.100.6

File Path /

File Name p##-wlc-4hr.txt

Server Login Username ftp

Server Login Password ftp

Server Port Number 21


9/55



Controlling iPAD via VNC ClientBelow are some tips for controlling the iPad UI via VNC client:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad)

Touch with two fingers on the Track Pad If Secondary Click is configured.

Mouse: Mouse pointer mimics touching the iPad screen with one finger.

Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll

Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your

local keyboard for input.

Note:The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to

the text field you want to input text, and click on it.


10/55

Lab Exercise 1: Configure the My Devices Portal on ISE


Lab Exercise 1: Configure the My Devices

Portal on ISE

Exercise DescriptionThis lab covers the ISE configuration requirements to enable and customize the My DevicesPortal. The My Devices Portal allows employees to manage the devices that they themselves

have on-boarded to the corporate network. Employees can add devices directly in this portal.

Employees can mark any device in their own lists as lost, which prevents others from

unauthorized network access when using the stolen device. Employees can reinstate a

blacklisted device in the My Devices Portal to grant it network access without re-registration.

Employees can also take any of their devices off the list temporarily, and later register them back

for network access.

Exercise ObjectiveIn this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This

includes completion of the following tasks:

Verify My Devices Portal enablement

Customize the My Devices Portal

Modify the My Devices Portal authentication to include AD for user authentication

Launch the My Devices Portal and access it using AD user credentials

Step 4 Access the ISE administrative web interface.


https://ise-1.demo.local/


Note:Your browser is not supported may be ignored.

b. Login with username admin and passwordISEisC!!L. The ISE Dashboard should display.

Navigate the interface using the multi-level menus.


11/55



Step 5 My Device Portal Settings

a. Navigate to Administration > Web Portal Management > Settings. From there, go to My

Devices > Portal Configuration.

b. Under the Generalsection, verify

!Enable My Devices Portalis

checked

c. Review the options to enable the

AUP link, setting the maximum

devices, email address and phone

number for Help Desk. The

maximum number of devices is

set to 5 by default.

d. Enter values of your choosing under Help Deskfor Email and Phone number.

Step 6 Portal Theme

a. Go to Administration > Web Portal Management > Settings > General > Portal Theme.

Login page and banner logos as well as background images and colors can be customized.

Step 7 SSL and URL Settings for My Devices Portal

a. Go to Administration > Web Portal Management > Settings > General > Ports.

b. In My Devices Portal Settings, verify the HTTPS Port and Allowed Interfacesare set as

below:

c. Go down to Portal URLsand verify that

i. !Default My Devices Portal URLis checked

ii. The text box is set to mydevices.demo.local

Note: By default, the friendly URL is not enabled. Its preconfigured here in interest of time and avoiding a restart of ISE services. Inthis setup, mydevices.demo.local is aliased to ise-1.demo.local in DNS.


12/55



Step 8 Identity Source Sequence for My Devices

a. Under Administration > Web Portal Management > Settings > My Devices, verify the

Authentication Sourceis set to

MyDevices_Portal_Sequence, which is the

default.

b. Go to Administration > Identity Management > Identity Source Sequences. Edit the

MyDevices_Portal_Sequenceand select demoADas the only identity source in the list of

Authentication Search List. Save once completed.

Step 9 Finally, verify My Devices Portal is working with the configured settings.

a. From the web browser, access http://mydevices.demo.localNote:Please accept/confirm any browser certificate warnings if present, which mostly due to the browser not trusting the root CAcertificate that signs the SSL server certificate of the ISE.

b. Login with a AD user/password employee1 / ISEisC!!L

Upon successful login, a page

similar to the right will show:

Note:The authentication events can be shown in Operations Audit reports.

It needs to turn ARP(My Devices Portal) to log INFO messagesand add LogCollector as the targets.


13/55



c. There will be options available to add devices but do not add any devices at this time. This

will be performed in later lab exercises.

You are now familiar with the look-and-feel of My Devices Portal. You will use this portal in subsequent exercises.

End of Exercise: You have successfully completed this exercise.

Proceed to next section.


14/55

Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD configuration


Lab Exercise 2: Configure ISEfor Single SSID

Wireless BYOD configuration

Exercise DescriptionThis exercise will show how to configure ISE for BYOD wireless deployment where only onewireless SSID is required. Firstly you will confirm SSID settings on the Cisco WLC. Next you will

learn how to configure profiles for the SCEP CA and the Certificate Authentication Profile. Cisco

ISE uses Simple Certificate Enrollment Protocol (SCEP) to support the secure issuance of

certificates to network devices in a scalable manner. The SCEP in this lab is Microsoft Network

Device Enrollment Service on Windows Server 2008 R2 Enterprise. You will also learn how to

configure a client provisioning policy on Cisco ISE to allow the native supplicant provisioning.

Exercise ObjectiveIn this exercise, your goal is to configure ISE for single SSID Wireless BYOD, which includes the

completion of the following tasks in ISE:

Familiarize the WLC configuration needed for single SSID

Verify the Network Access Device configuration of the WLC

Configure the SCEP CA Profiles and the Certificate Authentication Profile

Modify the Identity Source Sequence to authenticate the user against AD

Modify the Authentication Policy to accept 802.1X authentication from wireless access

devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.

Modify the Authorization Policy to allow registration as well as supplicant provisioning and

to grant full access to registered devices.

Create Client Provisioning Policy to support native supplicant provisioning

Step 1 Open a new tab on the web browser and access the ISE administration web interface at

https://ise-1.demo.localusing the credentials admin /ISEisC!!L

Step 2 Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.

a. Navigate to Administration > Network Resources > Network Devices

b. Under Network Devices in the right-hand panel, select wlc.

c. This network device is preconfigured with the values shown in the following table:

Attribute Value

Name wlc

Description -

IP Address 10.1.100.61 / 32

Model Name -

Software Version -

Device Type WLC

Location GOLD-Lab

! Authentication Settings

Protocol RADIUS

Shared Secret !"#$%&!!'


15/55



d. Update as needed and click Save when finished.

Step 3 Configure a SCEP RA Profiles.

a. Navigate to Administration > System > Certificates.

b. Go to SCEP RA Profiles. Add a new profile as below

Attribute Value

Name mscep (or any unique id)

Description -

URL ())*+,,-./.012/324-3,405)%56,1%40*

Note: The URL may start with either http:// or https://. The latter needs AD with a valid certificate and the root-CA certificate

imported into ISE certificate store beforehand.

c. Click Test Connectivity to verify the connection to the SCEP server.

Note: If this fails, please ask the proctor to check on the adserver VM.

MSCEP is hosted on the Microsoft AD Server in this lab. The Proctor can either stop and start service (NDES) or restart the AD VM(Power-off & Power-on)

d. Once Test Connectivity succeeds, click Submitto save the profile.

e. Under Administration > System > Certificates,go to Certificate Store, both the CA and

RA (registration authority) certificates of the certificate chain for the SCEP server should

have been retrieved, as a result of (d).

Step 4 Configure a Certificate Authentication Profile

Go to Administration > Identity Management > External Identity Sources > Certificate

Authentication Profile to create a new one with the following information:

Click Submitto save the changes.


16/55



Step 5 Add a new Identity Source Sequence

a. Go to Administration > Identity Management > Identity Source Sequences.

b. Click Addto create a new Identity Source Sequence.

Note: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. Inpassword-based authentications, it will use the other identity sources in the authentication search list.

c. Click Submitto save the changes.

Step 6 Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols, create a

new entrywith the name PEAP_o_TLS and allow only two protocols:

a. EAP-TLS

b. PEAP with inner method EAP-MS-

CHAPv2c. Click Submitto save changes

Step 7 Update Authentication Policy

a. Go to Policy > Authentication

b. Modify the rules Dot1Xand Default Ruleas below:


17/55



Below shows the resulting authentication policy. The modified objects are highlighted in Yellow.

Status Name Condition Protocols Identity Source Options

!MAB IF Wired_MAB

ORWireless_MAB

allowprotocols

Default Network Access and use Internal Endpoints RejectRejectDrop

!Dot1X IF Wired_802.1X

OR

Wireless_802.1X

allowprotocols

PEAP_o_TLS and use DOT1X_Sequence RejectReject

Drop

!Default Rule(if no match)

allowprotocols

Default Network Access and use DenyAccess RejectRejectDrop

c. Click Save.

Step 8 Go toPolicy > Policy Elements > Results > Authorization > Authorization Profiles. Create

twoAuthorization Profilesthat will be used in theAuthorization Policy one for full network

access and the other dedicated to supplicant provisioning.

a. Authorization Profile for allowing Full Network Access

Attribute Value

Name WLC_FullAccess

Description --Access Type ACCESS_ACCEPT

Common Tasks

!Airespace ACL Name PERMIT-ALL-TRAFFIC

Access Type = ACCESS_ACCEPTAirespace-ACL-Name = PERMIT-ALL-TRAFFIC


PERMIT-ALL-TRAFFICis a

named ACL defined at WLC,

that allows all IP traffic.

b. Authorization Profile for allowing Supplicant Provisioning


Attribute Value

Name WLC_SupplicantProvisioning

Description --

Access Type ACCESS_ACCEPT

Common Tasks

!Web Redirection (CWA,DRW,MDM, NSP, CPP)

Drop-down menu: Supplicant ProvisioningACL: PERMIT-2-ISE-a-DNS

Attributes Details

Access Type = ACCESS_ACCEPTcisco-av-pair = url-redirect-acl=PERMIT-2-ISE-a-DNS

cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&action=nsp


18/55



PERMIT-2-ISE-a-DNSis

another named ACL at

WLC. It permits limited

accesses to ISE and DNS

only.

Step 9 Next, add two Authorization Policy rules under Policy > Authorization as shown below the

Rule Name Reg with ISE TLSand Employee Personal Device.Also, set the Default rule to

DenyAccess.

Note:Identity Group RegisteredDevicesis one of the Endpoint Identity Groups.

Note: ISE 1.2 introduced a new attribute EndPoints:BYODRegistration, whichmay be used to validate registration status instead of RegistredDevices.And, endpoints keep their pre-registration identity groups, if any.

Note:To insert a new authorization rule, click Editin the right end of a rule andchoose from the drop-down option menu.

Note:To add the first condition from Library, such asWireless_802.1X, use Select Existing Condition from Library.Wireless_802.1X is a compound condition.

If the first condition with an attribute/value pair, such as NetworkAccess:EapAuthentionEQUALS EAP-TLS, use Create NewCondition (Advance Option).

Then, pick Add Attribute/Valuefor more of such conditions in the same rule.

Status Rule Name Identity Groups Other Conditions Permissions

!

Wireless Black ListDefault ISE

Blacklist Wireless_Access_ISE Blackhole_Wireless_Access_ISE

!Profiled Cisco IP

Phones ISE

Cisco-IP-Phone - Cisco_ IP_Phones_ISE

!

Profiled Non Cisco IPPhones ISE

- Non_Cisco_Profiled_Phones_ISE Non_Cisco_IP_Phones_ISE

!

Employee Personal

Device

Any Wireless_802.1X

ANDNetwork Access:EapAuthenticationEQUALS EAP-MSCHAPv2

WLC_SupplicantProvisioning

!

Reg with ISE TLS RegisteredDevices Wireless_802.1XANDNetwork Access:EapAuthenticationEQUALS EAP-TLS

ANDCERTIFICATE:Subject Alternative NameEQUALS Radius:Calling-Station-ID

WLC_FullAccess

!

Default (if no matches) DenyAccess


19/55



Click Saveto save the changes.

Step 10 Go to Policy > Client Provisioning and create a new rule whichwill look like the following:

Status Rule NameIdentityGroups

OperatingSystems

OtherConditions

Results

Apple iOS Any Apple iOS All - iOS_WPA2e_TLS

Create a new Native Supplicant Profile in-line from within the Results cell.

Fill-in the native supplicant profile iOS_WPA2e_TLSas shown:

Attribute Value

Name iOS_WPA2e_TLS

Description -Operating System Apple iOS All

Connection Type Wireless

SSID n-p##-TS-WPA2e

Security WPA2 Enterprise

Allowed Protocol TLS

Key Size 1024

Notes: SSID value is case-sensitive and needs to be exactly the same as the one defined in the WLC. To avoid

any typos, copy the SSID name from the WLC and paste it onto the ISE GUI.

To find SSID for your POD, Go to admin PC, launch a browser and login onto WLC (https://wlc.demo.local) with

Username = admin and Password = ISEisC00L.

Click and then copy the name of the Secure SSID e.g. n-p##-TS-WPA2e. If SSID is disabled,

Click on the SSID and Enable it.

89 :9;"#$ %&'( ))*+

Click Saveto save the changes.

End of Exercise: You have successfully completed this exercise.Proceed to next section.


20/55


21/55

Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad


Note:This certificate with a subject name aaa.demo.local shown as the certificate subject, it is a wild-cart certificate.

Note:Apple iOS prompts for the RADIUS server EAP-TLS certificate because it sees the certificate the first time and an ad-hocconnection.

c. Next click on the blue arrow of the connected network and verify the IP address assigned

Note:IP address for iPAD might be different depending on the DHCP scopes in the POD, iPAD might get an IP address from10.1.10.x subnet which is OK.

Step 6 Now launch the mobile Safari app and access the website www-int.demo.local.

You will receive a warning Cannot Verify Server Identity. Click Continuethen be redirected to

the self-provisioning page.

Note:If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for theApple iOS (Policy > Client Provisioning).

Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run )


22/55



When prompted to install the CA certificate that signed the SSL server certificate of ISE, click

Install.

Accept any Warnings to complete this installation.

Step 7 Once back to the self-provisioning page in Safari, enter an optional description and click

Register.

At this time, the ISE Profile Service

pops up and prompts Install.

Step 8 Click Installto start the Apple Over-

The-Air (OTA) enrollment process. This

will automatically generate the key,enroll the identity certificate, and save

the resulting signed Wi-Fi profile to the

iPad.

Note: If errors in installing the profile, do the following:

Verify a SCEP RA profile has been created (Administration > System > Certificates > SCEP RA Profile)

Verify the CA and RA certificates have been downloaded to the Certificate Store ( Administration > System > Certificates >Certificate Store)

Check the console output of the iPad using the iPhone Configuration Utility ( iPCU) from Apple, which is installed on the adminPC (Start > All Programs > iPhone Configuration Utilities)

Step 9 Once profile Installed, click Done.

Step 10 Now back to the mobile Safari app, enter www-int.demo.local, which should take you to the

website.

Step 11 Verifying Settings > General > Profilesshows two profiles are installed

Notes: iOS_WPA2e_TLSis the name of the supplicant profile created in Step 10 of Exercise 2.

Step 12 Check the live authentication logs on ISE admin web console (Operations > Authentications)

to verify that the correct authorization profiles were applied. The sequence will look similar to the

following. Initially, the device will be authorized for WLC_SupplicantProvisioning. Once the

provision is done, another authentication occurs and the WLC_FullAccess profile will be applied.


23/55



Note:For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.(Admin>System>Logging>Debug Log > Conifg)

Step 13 Go to the My Devices Portal http://mydevices.demo.localand inspect the endpoint registration

states. Login as employee1 /ISEisC!!Lif the portal session expires.

a. The initial state of the device is Pendingas shown below.

b. Once the newly installed Wi-Fi profile authenticates the device to the

network, this state will move to Registered.

This transition may take up to 20 minutes or not occur at all due to bug CSCtx94533

More Troubleshooting Tips

Helpful WLC CLI commands:

Debugging client traffic debug client

Debugging AAA authentication debug aaa events enable

Debugging 802.1x events debug dot1x events enable

Bypass captive portal config network web-auth captive-bypass enable



24/55

Lab Exercise 4: Test and Verify the Device Blacklisting function on My Devices Portal


Lab Exercise 4: Test and Verify the Device

Blacklisting function on My Devices Portal

Exercise DescriptionThis exercise will show you the device self-management features of Cisco ISE.You will simulate loosing your iPad and blacklisting the device as lost. Blacklisting the device

prevents it from being misused on the corporate network. Cisco ISE uses RADIUS CoA

messaging to interact with network access devices in enforcing restrictions on the user self-

provisioned device.

Exercise ObjectiveIn this exercise, your goal is to complete the following tasks:

Customize the Authorization Profile to Blacklist wireless endpoints

From the My Devices Portal mark the device as Lostto observe the Change of Authorization

(CoA) occur and restrict access from the device

When the device is reinstated on the My Devices Portal, Change of Authorizationis again

triggered and the device should now be given a full network access

Step 1 Refer to Appendix Afor the sample WLC configuration. Login to WLC web interface

https://wlc.demo.localas admin / ISEisC!!Lto review the WLAN (menu WLANs) and ACLs

(menu SECURITY; side Access Control List>Access Control List) used in this exercise.

a. WLAN: n-p##-TS-WPA2e

b. ACLs: PERMIT-ALL-TRAFFIC and BLACKHOLE

Note:The # in n-p##-TS-WPA2eis to be replaced with the assigned pod number; e.g. n-p22-TS-WPA2e

Step 2 Go to My Devices Portal. Select the iPad and click Lost?. The device will now

be blocked from accessing the network. Note the icon change under the State.

Step 3 From the VNC session to

the IPad, switch to the

mobile Safari app. Reload

the page www-

int.demo.localand the

user will see a message

This device has been

marked as lost

Step 4 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic

Authorizationis triggered after the device is Lostthen a reauthorization matches the device to

the BlackList_Wireless_Access profile


25/55


Step 5 Back to My Devices Portal and click Reinstate. The iPad should now be

allowed to the network. Notice the change in the icon under State.

Step 6 The Live Authentications logs should show an entry Dynamic Authorization (CoA) succeeded

followed by a re-authentication, which put the device in WLC_FullAccessprofile.

Step 7 On iPad, again try to access www-int.demo.local. The website should now be accessible.

Step 8 On iPad, go to Settings > Wi-Fiand slide the virtual switch toturn off Wi-Fi.



26/55

Lab Exercise 5: Configure ISE for 3rd Party MDM integration


Lab Exercise 5: Configure ISE for 3rd Party

MDM integration

Exercise Description

This lab covers the ISE configuration requirements to enable ISE integration with 3rd

Party MDM servers.

Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices

deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a

policy server and an inline enforcement point that controls the use of applications (e.g. email) on a mobile

device in the deployed environment. Today Cisco Identity Services Engine (ISE) is the only entity that can

provide granular access to endpoints (based on ACLs, trust sec SGTs etc). In this integration, ISE-

enabled network is the enforcement point while the MDM policy server serves as the policy decision

point. ISE expects specific data from MDM servers to provide a complete solution

The following are the high-level use cases in this solution.

Device registration- Non registered endpoints accessing the network on-premises will be redirected toregistration page on MDM server for registration based on user role, device type, etc

Remediation-Non compliant endpoints will be given restricted access based on compliance state

Periodic compliance check Periodically check with MDM server for compliance

Ability for administrator in ISE to issue remote actions on the device through the MDM server (e.g.:remote wiping of the managed device)

Ability for end user to leverage the ISE My Devices Portal to manage personal devices, e.g. FullWipe, Corporate Wipe and PIN Lock.

MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic

setup and compliance checks are configured on the MDM server, it can then be added to ISE

Logical Network Topology


27/55



MDM Integration use-case overview

1. User associates device to SSID

2. If user device is not registered, user goes through the BYOD on-boarding flow, details listed inAppendix

3. ISE makes an API call to MDM server

4. This API call returns list of devices for this user and the posture status for the devices Please notethat we can pass MAC address of endpoint device as input parameter.

5. If users device is not in this list, it means device is not registered. ISE will send a change ofauthorization to NAD to redirect to ISE, Users will be re-directed to MDM server (home page orlanding page)

6. ISE will know that this device needs to be provisioned using MDM and will present an appropriatepage to user to proceed to registration.

7. User will be transferred to the MDM where registration will be done. Control will transfer back to ISEeither through automatic redirection by MDM server or by user refreshing their browser again.

8. ISE will query MDM again to gain knowledge of Posture status

9. If the user device is not in compliant to the posture (compliance) policies configured on MDM, theywill be notified that the device is out of compliance and need to be in compliance

10. Once users device becomes compliant, MDM server will update the device state in its internal tables.

11. At this stage user can refresh the browser at which point control would transfer back to ISE.12. ISE would also poll the MDM server periodically to get compliance information and issue COAs

appropriately.

Exercise Objective

In this exercise student will add 3rd

party MDM server in to ISE and then configure ISE authorizationpolices to use MDM attributes.

The diagram below shows the main steps in configuring MDM Integration.


28/55



Step 1 MDM Server Certificate

Note: Certificate for the 3rd

party MDM server in STEP 1 is already downloaded in ISE, STEP 1 is only to view the Certificateforthe completeness of the configuration.

Go to Administration


29/55


30/55



The Cisco Identity Services Engine IP address = 10.1.100.21

Internal Corporate Networks = 10.0.0.0, 255.0.0.0 (to redirect) (Allow ISE and MDM Server)

MDM Server = 10.1.100.15

Explanation of the MDM_Quarantine_ACLis as follows

1. Allow DNS traffic inbound for name resolution.

2. Allow all traffic inbound to ISE for Web Portal and supplicant and Certificate provisioning flows

3. Allow access inbound to MDM server for MDM device registration and compliance checks

4. Allow ICMP traffic for trouble shooting, it is optional

5. Deny all traffic inbound to corporate resources. Any 80/tcp access hits will redirect to ISE (As per company policy)

6. Permit all the rest of traffic, to allow remediation from Internet sites, such as Apple app store.

Step 7 Configure ISE Authorization Policies. Once MDM server is added in to ISE, we can configure

authorization polices in ISE to leverage the new dictionaries added for MDM servers.

a. Create an Authorization Profile named MDM_Quarantine for devices which are not in

compliant to MDM polices. In this case all non-compliant devices will be redirected to ISE

and presented with a message

b. Go to Policy > Policy Elements > Results >Authorization > Authorization Profiles and

Click onAdd to add the MDM_Quarantine as below :


31/55



Step 8 Update ISE Authorization Policy

a. Go to Policy > Authorization.

b. @1/75$the Authorization policy rule Reg with ISE TLSand select Duplicate Above

c. Update the two policy rules (Reg with ISE TLSand its duplicate) as defined below, in turn:

Reg with ISE and MDM comp Once the device is registered with both ISE and MDM, and is in

compliance to MDM policies, it will be granted full access to the network.

Reg with ISE NOT MDM This Authorization Rule is added for devices which are registered with ISE but

either not yet with an MDM server or not in compliant to MDM policies. Once the device hits this rule, it

will be forwarded to ISE MDM landing page. If not yet registered with MDM, the Register button is

shown. If already registered but not yet compliant, it will inform the user about the compliance failure.

Note: Use Duplicate Above/Belowto speed up creating rules with similar conditions.


!

!

Employee PersonalDevice

Any Wireless_802.1XAND

Network Access:EapAuthenticationEQUALS EAP-MSCHAPv2

WLC_SupplicantProvisioning

!

Reg with ISE andMDM compliant

RegisteredDevices Wireless_802.1X

ANDNetwork Access:EapAuthenticationEQUALS EAP-TLS

ANDCERTIFICATE:Subject Alternative NameEQUALS Radius:Calling-Station-ID

ANDMDM:MDMServerReachableEQUALS Reachable

ANDMDM:DeviceRegisterStatusEQUALS Registered

ANDMDM:DeviceCompliantStatusEQUALS Compliant

WLC_FullAccess

!

Reg with ISE notMDM

RegisteredDevices Wireless_802.1XANDNetwork Access:EapAuthentication

EQUALS EAP-TLSANDCERTIFICATE:Subject Alternative Name

EQUALS Radius:Calling-Station-ID

ANDMDM:MDMServerReachable

EQUALS Reachable

MDM_Quarantine

!

Default (if no matches) DenyAccess

Do not forget to Saveall the changes after updating the Authorization Policy rules.



32/55

Lab Exercise 6: MDM policy configuration on 3rd Party MDM Server.


Lab Exercise 6: MDMpolicy configuration on 3rd

Party MDM

Server.

Exercise Description

This exercise will review MobileIron Policy Configuration for the corporate compliance policies

Note: Please DO NOTchange any policies on the 3rd

party MDM server as this could leave the iPAD in an unusable state

Exercise Objective

In this exercise, your goal is to familiarize and review configuration of the MobileIron Server for

the corporate policies. This includes completion of the following tasks:

Verify adminaccount privileges for REST API, i.e. account used by ISE to send a REST

API call to MobileIron Server

Review the Default Security Policies

Review the iOS APP installation configuration (WebEx)

Step 1 Access the MobileIron administrative web interface.


https://mobileiron.demo.local/admin


b. Login with username admin and passwordISEisC!!L. Once you login, the USER &

DEVICES tab should display.

Step 2 User Management

a. Navigate to USERS & DEVICES > User Management. From there, click the checkbox

before adminuser and click on Assign Roles.

b. Notice that API check box is selected for the user


33/55



c. Navigate to USERS & DEVICES > User Management. From there, click the checkbox

before employee1user and click on Assign Roles.

d. Notice that API check box is NOT selected for the user

Step 3 Application Control Policies on MobileIron Server

a. Navigate to APPS & CONFIGS > App Control

b. Click the Edit button for WebEx

c. Verify the settings as below

Attribute Value

Name WebEx

Type Required

App Name IS

App Search String WebExDevice Platform ALL

Comment WebEx

Step 4 Default Security Policy on MobileIron Server

a. Navigate to POLICIES > All Policies Default Security

Policy. From there, click the Editbutton on the right side

of the screen.

b. Review this Policy for Password, Type, Length, Data

Encryption etc.

c. Under Access Control, verify WebEx is the only Enabled rule.

Note: The current version of AnyConnect is not compatible with iPad 1 in the pod, so AnyConnect cannot be enforced here.

Update as needed. Then, click


34/55



Step 5 Application Distribution Policies on MobileIron Server

a. Navigate to APPS & CONFIGS > App Distribution.

b. From there, click the dropdown button and select iOS

c. Cisco AnyConnect has already been imported into the

MobileIron server from APP store. Click the Editbutton to

review the details.

Note: Below is needed as the current value on the server is set to Yes.Note: The current version of AnyConnect is not compatible with iPad 1, which used in the pod.

Click on #Nofor MobileIron VSP not to send an

installation request to the endpoint at the time of

registration and click Save.

d. Cisco WebEx has already been imported into the

MobileIron server from APP store. Click the Editbuttonto review the details.

Note: Below is needed as the current value on the server is set to No.

Click on #Yesfor MobileIron VSP to send an

installation request to the endpoint at the time of

registration and click Save.

You are now familiar with the basic configurations of 3rd-Party MDM server - MobileIron. You will use them in subsequent exercises.



35/55

Lab Exercise 7: Test and Verify 3rd party MDM integration onboarding of a non-corporate Apple iPad


Lab Exercise 7: Test and Verify 3rd

party MDM

integration onboarding of a non-corporate

Apple iPad

Exercise DescriptionIn this exercise you will get the experience of MDM enrollment process, BYOD on-boarding on

the iPAD was already completed in Lab Exercise 3 therefore this will be followed by MDM

enrollment. iPads native supplicant is already provisioned with the wireless SSID therefore this

will address the MDM enrollment. Using Cisco ISE live logs you will monitor the onboarding

process and verify successful completion via the My Devices Portal.

Warning:

The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to configuration andlimitations of remotely controlling an interactive device like the iPad in a lab environment please do not deviate from the

exercise steps. Any deviation may result inlosing connectivityto the iPad, which will need physical / manual resetting andprevent you from experiencing the full potential of the lab.

Thank you for your cooperation.


Complete device enrollment with 3rd

party MDM, install corporate application

Check the ISE Live Logs to monitor the process

Check the My Devices Portal to see the device registration

Use My Devices Portal to issue a corporate wipe.

Step 1 On iPad, go to Settings > Wi-Fiand slide the virtual switch toturn on Wi-Fi.

Note-1: If the VNC to iPad is closed then, click on the short-cut VNC-to-iPadon the taskbar to restart a VNC session to the iPad.

Note-2: If the Wi-Fi is not turned off at the end of Lab Exercise 4, first turn it off and remove the client session from the wlc -- Use

the Firefox browser on the admin-PC to go to https://wlc.demo.local, navigate to menu MONITOR > Clients, follow the client macaddress hyperlink to drill into the session, and click the button Remove.

Step 2 Launch the mobile Safari app and access www.google.com. The endpoint will have access asper Corporate policies, as the iPad has previously registered with ISE in Exercise 3.

Step 3 Now access the website www-int.demo.local(Corporate Resource), since the device is not

enrolled with MDM, as per configured policies the device will be redirected to the page hosted

on ISE to register with 3rd

Party MDM Server. To simplify end-user-experience, link to the

configured 3rd

party MDM Server will be presented where user can click on the link to get

redirected to install the MDM client.


36/55



Click on the link called Step1: Enroll but do NOTclick on the Step 2: Continue button.

Note: In this lab the 3rd

party MDM agent is already downloadedso, DO NOTclick

Go to iPad home screen by right click on iPad, Hold Down the click Key and move the mouse

towards your left to Swipe on Screen, this will take you to the third page on iPad, click on to

launch the MobileIron Agent.

Note: If the third page has no MobileIron, right click once to go back to iPad home screen and right click again to launch

search. Enter MobileIron as the search string to find and launch it.

If you get the Application Reset pop-up, click OK to continue

Step 4 Enter the following values and accept ALL certificates when prompted. If asked for Certificate,

Click Accept since this is the certificate from MobileIron Server to be installed on the iPAD. The

certificate is later used to push MDM profile and Certificates from the MobileIron Server

a. Click AcceptCertificate

Attribute Value

User Name employee1

Server mobileiron.demo.local

Password ISEisC00L


37/55



b. iPAD will be prompted that its configuration will be

updated, click OK to continue

c. MobileIron will now push MDM profile on theiPAD. But, before it can push profile, iPAD

needs certificate of the MobileIron server,

therefore MobileIron server will now

configure the iPAD to initiate SCEP request

for the certificate, click install to download

the profile on iPAD

d. iPad will prompt that the profile in unverified (since it

signed by the MobileIron server whose certificate chain

has not been installed on the iOS).

Click Install Now

e. iPad will prompt that MobileIron server is

installing the certificate name PortalCA

which is not a publically signed certificate.

Click Install Now

Once the profile and Certificates are downloaded on the

iPAD, click Done


38/55



Notes: After clicking on Done, STOPand wait for the iPAD to prompt for App Installation. If theiPAD does not prompt for App Installation please check with the Lab Administrator. This is to test non-compliance state of the iPAD.

iPAD is now registered with the MobileIron MDM server but is missing the corporate application therefore is NOT

compliant with ISE as per configured Policies.

Step 5 As part of corporate compliance polices, the device needs to have the corporate applications. In

this LAB, MDM server will be pushing the Webex application onto the iPAD.

Notes: At this time ClickCancelfor WebEx.

Step 6 Click on Safari to open the browser and access www-int.demo.local then click the Continue

button so ISE can send a COA-Reauth.

Once ISE sends a successful COA, it will refresh the iPAD browser prompting the

user to access the original URL

Step 7 Type the original URL in the address bar www-int.demo.local. iPAD is

non-compliant with the corporate polices as its missing the WebEx

applicationtherefore ISE will redirect the user to the MDM non-

compliance page.

The explanation and recommendation text might be different from the

screenshot, depending on the MobileIron VSP server version.

Step 8 Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse

towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on

to launch the MobileIron Agent.

Note: If the page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. EnterMobileIron as the search string to find and launch it.


39/55



Step 9 Re-Enroll with MDM

a. Click Settings > Check for Updatesthen

Re-Enroll Device

b. iPAD will now go through the MDM Re-enrollment

process, the user will be prompted to Install the profile

so iPAD can initiate SCEP request to MobileIron server

to get the certificates. Click Install

c. Click Install Now to accept the warnings

d. Click Install to install the MDM profile on the

iPAD so MobileIron MDM server can manage

the device

e. Once profile is installed click Done


40/55



f. This time wait until prompted to install the WebEx Meetings

APP. Please click install

g. iPAD will request APP Store password for the

[email protected], please enter ISEisC!!L

h. Please wait for WebEx App installation to complete

i. Once the WebEx application installation is complete,

click on Safari to open the browser and access www-

int.demo.local then click the Continue button so ISE

can send a COA-Reauth.

j. Once ISE sends a successful COA, it will refresh the iPAD

browser prompting the user to access the original URL

Step 10 Using the Admin PC, go to MobileIron Server.

Click on USERS & DEVICES

Step 11 Click on User employee1

Step 12 On the right section of the screen Device Details click on

small arrow before Apps to expand. Make sure all the

APPs are in compliance and NOT in RED


41/55



Notes: After clicking on Apps STOPif any of the APP us reported in RED. This means that the MobileIron MDMServer has NOT received updates from the MobileIron Agent.

To send another update from MobileIron Agent to MobileIron Server

Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse towards your left toSwipe on Screen, this will take you to a new page on iPAD, click on the MobileIron Agent APPto launch the APP

Click Settingsthen

Force Device Check-in

Click Check-in

Please note that this mightneed to be done multiple times

depending on if the update

from the MobileIron Agent getsto the MobileIron Server.

Repeat from Step 10 to make sure APPs are in compliance.

Step 13 Once the MobileIron Server shows employee1 as

compliant, click on Safari to open the browser and

access www-int.demo.local then click the

Continue button so ISE can send a COA-Reauth.

Once ISE sends a successful COA, it will refresh the iPAD

browser prompting the user to access the original URL

Please type the original URL in the address bar www-int.demo.local

Employee1 will now have access to the corporate

resources


42/55



Step 14 Look at the live logs on ISE admin web console to verify that the correct authorization profiles

were applied. Initially, the device will be authorized for MDM_Quarantine. Once the provision is

done, another MDM registration process will start where first the user would be requested to

register and then comply with the corporate compliance policies, which would result in another

authentication, and then the WLC_FullAccess profile will be applied.



43/55

Lab Exercise 8: Test and Verify the Corporate Wipe function on My Devices Portal


Lab Exercise 8: Test and Verify the Corporate

Wipe function on My Devices Portal

Exercise DescriptionThis exercise will show you the device self-management features of Cisco ISE.You will simulate losing your iPad and performing a Corporate Wipe action on the device.

Corporate Wipe will remove all the corporate data. In this case WebEx was pushed as a

corporate application earlier so will be removed. Cisco ISE uses APIs to interact with the MDM

Server in enforcing restrictions on the user self-provisioned device.


Review the MDM_Quarantine policy that was created earlier

From the My Devices Portal initiate the Corporate Wipe action on the device to observe the

Change of Authorization(CoA) occur and restrict access from the device

Step 1 Refer to Appendix Afor the sample WLC configuration. Login to WLC web interface

https://wlc.demo.localas admin /ISEisC!!Lto review the WLAN (menu WLANs) and ACLs

(menu SECURITY; side Access Control List>Access Control List) used in this exercise.

a. WLAN: n-p##-TS-WPA2e

b. ACLs: PERMIT-ALL-TRAFFIC and MDM_Quarantine_ACL

Note:The ## in n-p##-TS-WPA2eis to be replaced with the assigned pod number; e.g. n-p22-TS -WPA2e for POD 22

Step 2 Review the authorization profile MDM_QuarantineunderPolicy > Policy Elements > Results

> Authorization > Authorization Profiles.

Access Type = ACCESS_ACCEPTcisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=mdm

cisco-av-pair = url-redirect-acl=MDM_Quarantine_ACL

Step 3 Perform Corporate Wipe

a. From the iPad VNC session, verify iPad Wi-Fi is ONand connected to n-p##-TS-WPA2e.

b. Go to My Devices Portal and click Corporate Wipefor the iPad. The WebEx application

will now be removed from the iPad and the device will be blocked from accessing the

corporate network. Note the icon change under the State.


44/55

Lab Exercise 8: Test and Verify the Corporate Wipe function on My Devices Portal


Notes: Due to possible Race Condition (CSCui00582), ISE does not send a CoA to the controller afterinitiating the Corporate WIPE. Please initiate a CoA from ISE Live Session Logs or toggle WiFi to see thechange in authorization policy rule.

OR

Step 4 From the VNC session to the IPad, switch to the mobile Safari app. Reload the page www-

int.demo.localand the user will see a message

You must enroll your device

Step 5 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic

Authorizationis triggered after the device is Corporate-Wipedthen a reauthorization matches

the device to the MDM_Quarantine profile

Step 6 Clean up iPad and turn off wireless to get ready for next exercise

a. Close all browser tabs.

b. Go to Settings > Wi-Fiand slide the virtual switch to disable Wi-Fi.

c. Remove the two profiles installed by the ISE BYOD services on iPad under Settings >

General > Profiles.

d. Go to Settings > Safariand hit Clear Historyas well as Clear Cookies and Data.



45/55

Optional Exercise A: Configure ISE for Wired MAB-to-PEAP Onboarding


OptionalExerciseA: Configure ISE for Wired

MAB-to-PEAP Onboarding

Exercise DescriptionThis exercise showcases flexibility of Cisco ISE where an employee may provision a personal PConto a wired network.

Exercise ObjectiveIn this exercise, your goal is to configure the ISE for wired MAB-to-PEAP BYOD, which includes

the completion of the following tasks in ISE:

Modify the MAB Authentication Policy to allow fail-open on user-not-found

Modify the Authorization Policy to allow CWA. Then, grant full access to the users

authenticated using MSCHAPv2 and on registered devices.

Add Client Provisioning Policy to provision native supplicant for Windows PCStep 1 Access the ISE web administration interface at https://ise-1.demo.localusing the credentials

admin / ISEisC!!L

Step 2 Update Guest_Portal_Sequence

a. Go to Administration > Identity Management > Identity Source Sequences

b. Edit Guest_Portal_Sequenceto use demoADin its Authentication Search list.

c. Hit Saveand continue

Step 3 Under the Policy > Policy Elements > Results > Authentication > Allowed Protocols, add a

new allow protocols HostLookup_only. Enable only !Process Host Lookupand disable allother protocols.

Click Submit to save.


46/55


47/55



Click Submit to save.

Step 7 Modify the Authorization Policy under Policy > Authorization, insert two new rules after Reg

with ISE not MDMshown below as Registered MSCHAPv2 and Wired MABand save changes


!

!Reg with ISE notMDM

RegisteredDevices ! MDM_Quarantine

!

Wired RegisteredMSCHAPv2

RegisteredDevices Wired_802.1XANDNetwork Access:EapAuthentication

EQUALS EAP-MSCHAPv2

Wired_FullAccess

!

Wired MAB Any Wired_MAB Wired_CWA

!Default (if no matches) DenyAccess

Step 8 Configure the Client Provisioning Policy.

Note: The resources for the client provisioning can be created either under Policy > Policy Elements > Results > Client

Provisioning, or in-line while adding a client-provisioning rule without leaving the policy page. The latter is described here, but ithas a known issue that the admin user needs to re-select the resources after creating them this way.

a. Go to Policy > Client Provisioning Policyand add a rule for Windows PC.

Status Rule NameIdentityGroups

OperatingSystems

Other Conditions Results

!

Apple iOS Any Mac iOS All - iOS_WPA2_TLS

!

Windows PEAP Any Windows All - Config Wizard: WinSPWizard 1.0.0.34

Wizard Profile: Windows_Wired_PEAP

b. Under Native Supplicant Configuration, expand the cell resultsto create the following tworesources inline

I. Config Wizard

a) Download the wizard bundle from the following location on the admin PCs

http://tools.demo.local/cp/win_spw-1.0.0.34-isebundle.zip

Note: To in-line create Config Wizard and Wizard Profile, click on the gear icon

Note: Select the option Upload Resourcefor Config Wizard.


48/55



b) Upload the download from (a) to ISE. The upload is saved as WinSPWizard

1.0.0.n.

Note: This employs the offline-upload method for awizard resource, such as win_spw-n.n.n.n-isebundle.zip.

Such offline bundle files will be in the CCO downloadlocation for ISE. Alternatively, the resources can befetched online from the Client Provisioning update feed, if

the ISE has accesses to the feed URL.

II. Wizard Profile

Create it as shown:

Attribute Value

Name Windows_Wired_PEAP

Description -

Operating System Windows All

Connection Type !Wired

Allowed Protocol PEAP

Optional Settings> Windows Settings(Keep defaults)

c. After both the Profile and the Config Wizard are created, reselect them as the results and

Save the changes.

Note: The inline creation and Save only saves the newly created Wizard Profile and not the new policy. Hence, first "Save changesfor the new Wizard Profile or Config Wizard and then Save changes again for the new Client Provisioning Policy".



49/55

Optional Exercise B: Test and Verify for Wired MAB-to-PEAP Onboarding


Optional ExerciseB: Test and Verify for Wired

MAB-to-PEAP Onboarding

Exercise DescriptionThis exercise demonstrates how a wired PC is on-boarded from MAB/CWA to PEAP.

Step 1 From the Admin PC, using PUTTY, connect to the 3k-access using the credentials admin/

ISEisC!!L

Issue the following CLI commands to bring up interface g0/1:

3k-access#terminal monitor

3k-access#conf t

3k-access(config)#interface GigabitEthernet 0/1

3k-access(config-if)#no shutdown

Step 2 Next connect to the w7pc-guesta. vSphere Client and Power on p##-w7pc-guest

b. Connect to its console

c. Login with credentials : admin / ISEisC!!L

Step 3 Enable the Wired LAN connection

In the w7pc-guest console, double click the desktop short-cut w7pc-guest Network

Connections. Then, enable the w7pc-guest-wiredconnection by double-clicking on the icon.

Step 4 The putty session to the 3k-accessswitch should now indicate the interface g0/1 MAB

authenticated with CWA redirect and the w7pc-guest has an IP address, by CLI command

show auth sessions int g0/1Step 5 In w7pc-guests console, open Firefox and type in a website (e.g. www.google.com) to access.

If you receive a security warning, accept it.

Note: If at first you are not redirected, wait for a couple of minutes and try another site.

Step 6 Login the guest portal as employee1/ ISEisC!!L

Step 7 Once presented with the Self-Provisioning Portal, click Register.

Step 8 Click Continueat the Security Warning dialog box. Click Runwhen asked Do you want to run

this application? Name: CiscoSPWDownloadFacilitator.

Step 9 Once the NSP window kicks in, click Start. Then, clickYesfor the security warning on installing

root-CA certificate and for the UAC command windows.

Step 10 The windows native supplicant prompts the user to enter

the credentials (employee1 / ISEisC!!L) to connect to it.

Note 1:The bubble is popped

close to the Windows task bar, so itcould be obscured from the view.

Note 2: You might need to enter the credentials more than once.

Step 11 The user now has Full Access. Check the Live logs (under Operations > Authentications) on

ISE to confirm this assignment.


50/55




End of Lab: Congratulations! You have successfully completed the lab. Please let yourproctor know you finished and provide any feedback to help improve the lab experience.


51/55



Appendix A: WLC Configurationconfig location expiry tags 5config interface address management 10.1.100.61 255.255.255.0 10.1.100.1config interface dhcp management primary 10.1.100.10config interface port management 1config interface vlan management 100config interface address virtual 1.1.1.1config interface address dynamic-interface access 10.1.10.2 255.255.255.0 10.1.10.1config interface create access 10

config interface port access 1config interface vlan access 10config interface address dynamic-interface guest 10.1.50.2 255.255.255.0 10.1.50.1config interface create guest 50config interface port guest 1config interface vlan guest 50config 802.11b 11gsupport enableconfig 802.11b cac voice sip bandwidth 64 sample-interval 20config 802.11b cac voice sip codec g711 sample-interval 20config 802.11b channel global offconfig 802.11b txpower global 1config 802.11b cleanair alarm device enable 802.11-nonstdconfig 802.11b cleanair alarm device enable jammerconfig 802.11b cleanair alarm device enable 802.11-invconfig 802.11b cleanair enableconfig 802.11b disable networkconfig sysname wlcconfig database size 2048config country USconfig snmp community delete publicconfig snmp community delete privateconfig snmp community mode enable ISEisC00Lconfig snmp community ipaddr 10.1.100.0 255.255.255.0 ISEisC00Lconfig snmp community create ISEisC00Lconfig advanced probe limit 2 500config advanced probe-limit 2 500config advanced 802.11a channel add 36config advanced 802.11a channel add 40config advanced 802.11a channel add 44config advanced 802.11a channel add 48config advanced 802.11a channel add 52config advanced 802.11a channel add 56config advanced 802.11a channel add 60config advanced 802.11a channel add 64config advanced 802.11a channel add 149config advanced 802.11a channel add 153config advanced 802.11a channel add 157config advanced 802.11a channel add 161config advanced 802.11a channel noise enableconfig advanced 802.11a channel device disableconfig advanced 802.11a channel load disableconfig advanced 802.11a channel foreign enableconfig advanced 802.11b channel add 1config advanced 802.11b channel add 6config advanced 802.11b channel add 11config advanced 802.11b channel noise enableconfig advanced 802.11b channel device disableconfig advanced 802.11b channel load disableconfig advanced 802.11b channel foreign enableconfig mdns service query enable AirPrint

config mdns service create AirPrint _ipp._tcp.local. query enableconfig mdns service query enable AppleTVconfig mdns service create AppleTV _airplay._tcp.local. query enableconfig mdns service query enable HP_Photosmart_Printer_1config mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. query enableconfig mdns service query enable HP_Photosmart_Printer_2config mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. query enableconfig mdns service query enable Printerconfig mdns service create Printer _printer._tcp.local. query enableconfig mdns profile service add default-mdns-profile AirPrintconfig mdns profile service add default-mdns-profile AppleTVconfig mdns profile service add default-mdns-profile HP_Photosmart_Printer_1config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2config mdns profile service add default-mdns-profile Printer


52/55



config mdns profile create default-mdns-profileconfig acl rule add PERMIT-ALL-TRAFFIC 1config acl rule destination port range PERMIT-ALL-TRAFFIC 1 0 65535config acl rule source port range PERMIT-ALL-TRAFFIC 1 0 65535config acl rule action PERMIT-ALL-TRAFFIC 1 permitconfig acl rule add PERMIT-ALL-TRAFFIC 65config acl rule destination port range PERMIT-ALL-TRAFFIC 65 0 65535config acl rule source port range PERMIT-ALL-TRAFFIC 65 0 65535config acl rule add PERMIT-2-ISE-a-DNS 1config acl rule destination address PERMIT-2-ISE-a-DNS 1 10.1.100.21 255.255.255.255

config acl rule destination port range PERMIT-2-ISE-a-DNS 1 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS 1 0 65535config acl rule direction PERMIT-2-ISE-a-DNS 1 inconfig acl rule action PERMIT-2-ISE-a-DNS 1 permitconfig acl rule add PERMIT-2-ISE-a-DNS 2config acl rule destination port range PERMIT-2-ISE-a-DNS 2 0 65535config acl rule source address PERMIT-2-ISE-a-DNS 2 10.1.100.21 255.255.255.255config acl rule source port range PERMIT-2-ISE-a-DNS 2 0 65535config acl rule direction PERMIT-2-ISE-a-DNS 2 outconfig acl rule action PERMIT-2-ISE-a-DNS 2 permitconfig acl rule add PERMIT-2-ISE-a-DNS 3config acl rule destination address PERMIT-2-ISE-a-DNS 3 10.1.100.10 255.255.255.255config acl rule destination port range PERMIT-2-ISE-a-DNS 3 53 53config acl rule source port range PERMIT-2-ISE-a-DNS 3 0 65535config acl rule direction PERMIT-2-ISE-a-DNS 3 inconfig acl rule protocol PERMIT-2-ISE-a-DNS 3 17config acl rule action PERMIT-2-ISE-a-DNS 3 permitconfig acl rule add PERMIT-2-ISE-a-DNS 4config acl rule destination port range PERMIT-2-ISE-a-DNS 4 0 65535config acl rule source address PERMIT-2-ISE-a-DNS 4 10.1.100.10 255.255.255.255config acl rule source port range PERMIT-2-ISE-a-DNS 4 53 53config acl rule direction PERMIT-2-ISE-a-DNS 4 outconfig acl rule protocol PERMIT-2-ISE-a-DNS 4 17config acl rule action PERMIT-2-ISE-a-DNS 4 permitconfig acl rule add PERMIT-2-ISE-a-DNS 5config acl rule destination port range PERMIT-2-ISE-a-DNS 5 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS 5 0 65535config acl rule protocol PERMIT-2-ISE-a-DNS 5 1config acl rule action PERMIT-2-ISE-a-DNS 5 permitconfig acl rule add PERMIT-2-ISE-a-DNS 6config acl rule destination port range PERMIT-2-ISE-a-DNS 6 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS 6 0 65535config acl rule add PERMIT-2-ISE-a-DNS 65config acl rule destination port range PERMIT-2-ISE-a-DNS 65 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS 65 0 65535config acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 1config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 1 10.1.100.10 255.255.255.255config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 53 53config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 1 0 65535config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 1 inconfig acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 1 17config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 1 permitconfig acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 2config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 2 10.1.100.21 255.255.255.255config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 8443 8443config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 2 0 65535config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 2 inconfig acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 2 6config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 2 permitconfig acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 3

config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 3 0 65535config acl rule protocol PERMIT-2-ISE-a-DNS-a-INTERNET 3 1config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 3 permitconfig acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 4config acl rule destination address PERMIT-2-ISE-a-DNS-a-INTERNET 4 10.1.0.0 255.255.0.0config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 4 0 65535config acl rule direction PERMIT-2-ISE-a-DNS-a-INTERNET 4 inconfig acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 5config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 5 0 65535config acl rule action PERMIT-2-ISE-a-DNS-a-INTERNET 5 permitconfig acl rule add PERMIT-2-ISE-a-DNS-a-INTERNET 65


53/55



config acl rule destination port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535config acl rule source port range PERMIT-2-ISE-a-DNS-a-INTERNET 65 0 65535config acl rule add BLACKHOLE 1config acl rule destination address BLACKHOLE 1 10.1.100.21 255.255.255.255config acl rule destination port range BLACKHOLE 1 8444 8444config acl rule source port range BLACKHOLE 1 0 65535config acl rule direction BLACKHOLE 1 inconfig acl rule protocol BLACKHOLE 1 6config acl rule action BLACKHOLE 1 permitconfig acl rule add BLACKHOLE 2

config acl rule destination port range BLACKHOLE 2 0 65535config acl rule source address BLACKHOLE 2 10.1.100.21 255.255.255.255config acl rule source port range BLACKHOLE 2 8444 8444config acl rule direction BLACKHOLE 2 outconfig acl rule protocol BLACKHOLE 2 6config acl rule action BLACKHOLE 2 permitconfig acl rule add BLACKHOLE 3config acl rule destination address BLACKHOLE 3 10.1.100.10 255.255.255.255config acl rule destination port range BLACKHOLE 3 53 53config acl rule source port range BLACKHOLE 3 0 65535config acl rule direction BLACKHOLE 3 inconfig acl rule protocol BLACKHOLE 3 17config acl rule action BLACKHOLE 3 permitconfig acl rule add BLACKHOLE 4config acl rule destination port range BLACKHOLE 4 0 65535config acl rule source address BLACKHOLE 4 10.1.100.10 255.255.255.255config acl rule source port range BLACKHOLE 4 53 53config acl rule direction BLACKHOLE 4 outconfig acl rule protocol BLACKHOLE 4 17config acl rule action BLACKHOLE 4 permitconfig acl rule add BLACKHOLE 5config acl rule destination port range BLACKHOLE 5 0 65535config acl rule source port range BLACKHOLE 5 0 65535config acl rule add BLACKHOLE 65config acl rule destination port range BLACKHOLE 65 0 65535config acl rule source port range BLACKHOLE 65 0 65535config acl rule add MDM_Quarantine_ACL 1config acl rule destination address MDM_Quarantine_ACL 1 10.1.100.10 255.255.255.255config acl rule destination port range MDM_Quarantine_ACL 1 53 53config acl rule source port range MDM_Quarantine_ACL 1 0 65535config acl rule direction MDM_Quarantine_ACL 1 inconfig acl rule protocol MDM_Quarantine_ACL 1 17config acl rule action MDM_Quarantine_ACL 1 permitconfig acl rule add MDM_Quarantine_ACL 2config acl rule destination address MDM_Quarantine_ACL 2 10.1.100.21 255.255.255.255config acl rule destination port range MDM_Quarantine_ACL 2 0 65535config acl rule source port range MDM_Quarantine_ACL 2 0 65535config acl rule direction MDM_Quarantine_ACL 2 inconfig acl rule action MDM_Quarantine_ACL 2 permitconfig acl rule add MDM_Quarantine_ACL 3config acl rule destination address MDM_Quarantine_ACL 3 10.1.100.15 255.255.255.255config acl rule destination port range MDM_Quarantine_ACL 3 0 65535config acl rule source port range MDM_Quarantine_ACL 3 0 65535config acl rule direction MDM_Quarantine_ACL 3 inconfig acl rule action MDM_Quarantine_ACL 3 permitconfig acl rule add MDM_Quarantine_ACL 4config acl rule destination port range MDM_Quarantine_ACL 4 0 65535config acl rule source port range MDM_Quarantine_ACL 4 0 65535config acl rule direction MDM_Quarantine_ACL 4 inconfig acl rule protocol MDM_Quarantine_ACL 4 1

config acl rule action MDM_Quarantine_ACL 4 permitconfig acl rule add MDM_Quarantine_ACL 5config acl rule destination address MDM_Quarantine_ACL 5 10.0.0.0 255.0.0.0config acl rule destination port range MDM_Quarantine_ACL 5 0 65535config acl rule source port range MDM_Quarantine_ACL 5 0 65535config acl rule direction MDM_Quarantine_ACL 5 inconfig acl rule add MDM_Quarantine_ACL 6config acl rule destination port range MDM_Quarantine_ACL 6 0 65535config acl rule source port range MDM_Quarantine_ACL 6 0 65535config acl rule action MDM_Quarantine_ACL 6 permitconfig acl rule add MDM_Quarantine_ACL 65config acl rule destination port range MDM_Quarantine_ACL 65 0 65535config acl rule source port range MDM_Quarantine_ACL 65 0 65535config acl counter start


54/55



config acl create PERMIT-ALL-TRAFFICconfig acl apply PERMIT-ALL-TRAFFICconfig acl create PERMIT-2-ISE-a-DNSconfig acl apply PERMIT-2-ISE-a-DNSconfig acl create PERMIT-2-ISE-a-DNS-a-INTERNETconfig acl apply PERMIT-2-ISE-a-DNS-a-INTERNETconfig acl create BLACKHOLEconfig acl apply BLACKHOLEconfig acl create MDM_Quarantine_ACLconfig acl apply MDM_Quarantine_ACL

config mobility group domain n-pNN-TSconfig network rf-network-name n-pNN-TSconfig network usertimeout 120config network fast-ssid-change enableconfig network web-auth captive-bypass enableconfig network multicast l2mcast disable service-portconfig network multicast l2mcast disable virtualconfig dhcp proxy disable bootp-broadcast disableconfig license boot baseconfig license agent max-sessions 9config 802.11a cac voice sip bandwidth 64 sample-interval 20config 802.11a cac voice sip codec g711 sample-interval 20config 802.11a channel global offconfig 802.11a txpower global 4config 802.11a cleanair alarm device enable 802.11-nonstdconfig 802.11a cleanair alarm device enable jammerconfig 802.11a cleanair alarm device enable 802.11-invconfig 802.11a cleanair enableconfig radius fallback-test interval 180config radius fallback-test mode passiveconfig radius acct add encrypt 11 10.1.100.21 1813 password 1 3516b7676b6e057cc60e6eab4c0464151b48c2754113392979a8a99cb7bcb4fdcbe0fb4b 1673599122aad031626b4beca7aac40c8f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000config radius acct retransmit-timeout 11 30config radius acct enable 11config radius auth add encrypt 11 10.1.100.21 1812 password 1 548dafd9b3821b2c2dca6d5bc20709e5755a8cad807da4a4f7718c0a09ad9ea41c4267dd 161d47e852fdaca9e6f95f734047dba5ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000config radius auth rfc3576 enable 11config radius auth retransmit-timeout 11 30config radius auth enable 11config nmsp notification interval rssi rfid 2config certificate generate webadminconfig certificate generate webauthconfig wlan aaa-override enable 10config wlan mfp client enable 10config wlan aaa-override enable 11config wlan mfp client enable 11config wlan mac-filtering enable 10config wlan security wpa wpa2 ciphers aes disable 10config wlan security wpa wpa2 disable 10config wlan security wpa akm 802.1x disable 10config wlan security wpa disable 10config wlan security web-auth server-precedence 10 radiusconfig wlan security ft over-the-ds disable 11config wlan security wpa enable 11config wlan security web-auth server-precedence 11 radiusconfig wlan broadcast-ssid enable 10

config wlan nac radius enable 10config wlan interface 10 accessconfig wlan broadcast-ssid enable 11config wlan nac radius enable 11config wlan interface 11 accessconfig wlan radius_server acct add 10 11config wlan radius_server auth add 10 11config wlan create 10 n-pNN-TS-OPEN n-pNN-TS-OPENconfig wlan session-timeout 10 1800config wlan radius_server acct add 11 11config wlan radius_server auth add 11 11config wlan create 11 n-pNN-TS-WPA2e n-pNN-TS-WPA2econfig wlan session-timeout 11 1800config wlan exclusionlist 10 60


55/55

config wlan exclusionlist 11 60config wlan wmm allow 10config wlan wmm allow 11config wlan radio 10 802.11agconfig wlan radio 11 802.11agconfig w

Lab Guide Ise 1 2 Byod Mdm

Documents

Transcript of Lab Guide Ise 1 2 Byod Mdm