ISE BYOD

Just labbing up some ISE scenarios
When I creat guest users they are in the identity store. If I use AD obviously they are in AD.
However when I have a user self provision I cannot find the identity? Where are self provisioned identities stored? They have to be somewhere so we can disable delete them etc?

You can find them in the endpoint  database. Please review the below link which might be helpful on your  concerns:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf

Similar Messages

  • I am implementing ISE BYOD.

     I am implementing ISE BYOD. I get browser not supported on few of my client endpoints. Please assist on how to trouble shoot

    what is ISE version and patch level you are using. is this issue particular to a end point type/OS ..
    Client Machine Operating Systems and Agent Support in Cisco ISE
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html#34998

  • ISE BYOD Android : Impossible to launch "Network setup assistant"

    Hello
    The Byod procedure fails when launching "Network setup assistant"
    Error message  is: "This profile could not be downloaded, are-you connected to Guest Portal ?"
    WLC 5508  (VM) 7.5
    Wlan : Flexconnect
    Config : AP Flexconnect
    ISE 1.3
    Android 4.1.2
    Here are the step:
    1: Rule CWA : Redirect to Guest portal : OK
    2: Rule CWA : Redirect to device portal : OK
    3: Rule Android_dualSSID : Downloading "Network setup assistant" from Googleplay : OK
    4: Rule Android_dualSSID :  Launch "Network setup assistant 1.2.40"  : NOK
    Note : Profile "CWA_GooglePlay" = Redirect-ACL (NSP-ACL-Google)
    The NSP-ACL-Google looks like:
    (Taken from Flexconnect AP):
    Extended IP access list NSP-ACL-Google
        10 permit ip any host <IP ISE>
        20 permit ip host <IP ISE> any
        30 permit udp any range 0 65535 any eq domain
        40 permit udp any eq domain any range 0 65535
        50 permit ip any 74.128.0.0 0.0.255.255
        60 permit ip 74.128.0.0 0.0.255.255 any
        70 permit ip any 173.194.0.0 0.0.255.255
        80 permit ip 173.194.0.0 0.0.255.255 any
        90 permit ip any 206.111.0.0 0.0.255.255
        100 permit ip 206.111.0.0 0.0.255.255 any
        110 permit ip any 74.125.0.0 0.0.255.255
        120 permit ip 74.125.0.0 0.0.255.255 any
        130 permit ip any 208.117.224.0 0.0.0.255
        140 permit ip 208.117.224.0 0.0.0.255 any
        150 permit ip any 216.12.120.0 0.0.0.255
        160 permit ip 216.12.120.0 0.0.0.255 any
        170 deny ip any any
    Could you please help
    Michel Misonne

    Hello
    We use the one describe in "Cisco Unified Access (UA) and Bring Your Own
    Device (BYOD) CVD"
    I tried also with this one:
    Extended IP access list NSP-ACL-Google
        10 permit ip any host 10.35.124.195
        20 permit ip host 10.35.124.195 any
        30 permit ip any host 10.35.65.4
        40 permit ip host 10.35.65.4 any
        50 deny ip any 72.163.1.0 0.0.0.255
        60 permit ip any any
    10 : ISE
    20 : ISE
    30 : DNS
    40 : DNS
    50  :Enroll.cisco.com= 72.163.1.80  ( To redirect the Network setup assistant to ISE)
    (Enroll.cisco.com is the adresse that the Network setup assiatnt is tryiong to connect)
    Regards
    Michel

  • ISE BYOD Onboarding

    Hi,
    I have a Lab setup with ISE 1.3, WLC 5508 7.6.130.0. I have setup the ISE using Setup Assistant as a base point and have managed to get a couple of things working, such as the Guest Portal with Self Registration, standard Wireless dot1x authentication and authorizations for notebooks using AD. I have also setup a separate Wifi network for Mobile devices using AD authentication.
    All 3 scenarios work with a bit of fine tuning and with the following configurations.
    Separate Guest-Wifi - Self registration - Works
    Separate Corporate Wifi - AD Authentication - profiling and posture check - Works
    Separate BYOD Wifi - AD Authentication - Works.
    The problem I have is that when I enable device registration on the BYOD Wi-Fi, I get intermittent issues as follows:
    1 Ipad connects and registers without failure, iOS 8.1.1.
    other Ipad with same iOS, connects but cannot register, gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
    Iphone 5s, iOS 8.1.1 connects and registers intermittently, and when it fails, it gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
    Iphone 4s, iOS 8.1.1 connects but cannot register,  gets BYOD Portal page, but after accepting AUP gives error about unsupported browser.
    Can someone please advise why this is happening as I cannot see how its configuration error. I have checked the supported OS and Browsers for the portal and although the highest supported iOS is 8.0, why does the 1 Ipad work everytime and the Iphone 5s intermittently.
    thanks.
    Julian.

    Supported IOS versions in ise 1.3 :http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html#49426
    Client Machine Operating System
    Web Browser
    Supplicants (802.1X)
    Apple iOS 8.0
    Safari
    Apple iOS Supplicant 8.0
    Apple iOS 7.x11
    Safari
    Apple iOS Supplicant 7.x
    Apple iOS 6.x
    Safari
    Apple iOS Supplicant 6.x
    Apple iOS 5.1
    Safari
    Apple iOS Supplicant 5.1
    Apple iOS 5.0.1
    Safari
    Apple iOS Supplicant 5.0.1

  • ISE BYOD with Android device

    hi
    i deployed ISE for BYOD and its working fine for windows and Apple devices. the issue is with android. sometimes i can register the devices in MY DEVICES portal and ISE will redirect me to download the network assistant tool. and sometimes it refuses to register the devices and its showing this error for some devices "unsupported operating system type encountered" and showing this error for the others "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator"
    does anyone know how to solve this issue?
    thanks in advance.

    Ok, so the obvious things for the first part of the problem are;
    Is the Android Client using a supported OS? Check here;
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
    Are you using the latest Supplicant Provisioning plugins in ISE? And are you using the latest version of ISE?
    Do the failing Clients have anything in common? Same hardware, OS Version, etc?
    The second issue, where  you get "We are unable to determine access privileges in order to access the netwotk. Please contact your administrator" is typically caused by one of three things.  Either your Client has been idle for too long and the session has timed out, the ISE hasn't been able to Profile your device yet (and so doesn't know how to provision it), or you haven't configured ISE with an Android Supplicant Provisioning config.
    Finally, I've had that last problem before, albeit on a different handset, I missed some ports/protocols/hosts on my ACL

  • ISE, BYOD: win clients reject ISE local-certificate

    Hello!
    We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.
    Windows clients cannot connect to 802.1x SSID with the following error on ISE:
         Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    The client doesn't have preconfigured wifi profile or root certificate installed.
    The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
    The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.
    If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.
    So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
    p.s. the attached file shows the example of pop up TLS-alert window

    Are there any recommendations from Cisco about the issue with Windows?
    I believe there's a new version of smart solution design guide coming up.
    The current one does not mention anything to do with certs in "User Experience" chapter.
    You can check one of the possible approaches in Nico's document:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    (It can be easily expended).
    I think irt. PEAP we will always say that the cert or the root/sub CA cert should be already trusted on the device when perfoming enrollment.
    Will try to dig in, can't say I promise to get something concrete though. 

  • ISE BYOD on-boarding

    Hi guys.
    I was watching some videos about ISE device on-boarding. How to connect to a WLAN , if employee brings his own device to a job.
    There is a screenshoot of this process:
    I just have one question. Employee brings his own device,  we let him to authenticate, we bring him certificates and he can use EAP-TLS at the end.
    But how do we know that he is our employee? Is there some steps missing ( that we need to add his device MAC address somewhere on the "WhiteList") or this is just wrong name of example, it should be guest access , not employee access on-boarding ?
    What do you guys think?

    Hi,
    The user will have to provide AD credentials when authenticating via PEAP for example or you can have them authenticate from the webportal, or the mydevices portal, from there you can do a check based on their AD group membership to see if they are handed down the supplicant provisioning portal. This will allow you tighten down your BYOD policy.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE, BYOD: guest clients provisioning

    Hello!
    The question is about provisioning different types of wifi clients through the ISE Guest portal.
    ISE 1.1.4, WLC 7.4.100 (Guest WLAN uses MAB)
    Suppose, there are two groups of wireless clients:
    1) guest user, which credentials are created through the ISE Sponsor Portal
    2) domain user, who has credentials in ActiveDirectory
    The aim is to provision domain user, and not provision guest user.
    When client connects to Guest SSID and opens the browser, he is redirected to ISE Guest portal.
    When client uses domain user, he is provisioned, and when uses guest credentials he is not provisioned
    How ISE understands, that domain user must be provisioned and guest user must not be provisioned if Web portal is configured to provision everyone?
    (Web Portal -> Settings -> Enable Self-Provisioning flow)

    The answer is that typically you either know that MAC address or you have someting installed (NAC agent?) and fulfill some requirements.
    Alternative, you can perform CWA first (and...)
    Then if user is part of guest users -> allow internet only access
    If user is part of AD -> send him to do registration.
    Authorization policy allows you to use "identity group" as part of condition.
    If device registered -> allow full access. (just an idea).
    M.

  • ISE , BYOD iphone issue!! client provisioning

    Guys, when i sent down a profile using native suplicant for iphone, iphone gets it but it does not automatically selects TLS on the SSID.
    Here is what happens:
    Iphone connects to BOYD-SSID
    credentials enter
    client provision process
    ** if Auto-Login is selected problem with self registration!!!!!!!!
    bunch of security errors, profile is downloaded
    iphone reconnects to BOYD_SSID with credentials initilly entered (therfor MSCHAPv) not TLS
    in client provisining cycle.
    NOW!!!!
    go back to BYOD-SSID and "forget the network", reconnect again, and manually selecting TLS and using the profile previously downloaded, and everything works!!!!
    Too many freaking steps for BYOD!!!! I can't have my client tell his employees to do that.
    ANy ideas.....

    Marcin,
    I have not had the problems you are discussing, what version of code are you running and I assume you are using the single-ssid method? In my experience I have seen where the new profile over-writes the old peap profile and after COA hits the client then uses eap-tls to connect.
    Can you provide screenshots of the experiences you are having?
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE BYOD Error: "We are unable to determine access privileges" on redirect

         I am running ISE 1.1.1 and have gone through the design guide and setup the certificate based wireless authentication and device registration process using the ISE as a SCEP proxy for handing out certificates.  On the device registration portal instead of showing the device MAC the policy services node MAC shows up and I get an error that says "We are unable to determine access privileges in order to access the network. Please contact your adiminstrator."
    The an hour later I can connect just fine. The authentication logs on ISE are exactly the same in both cases. So it seems like a bug I opened a TAC case but am also posting here.

    I havent opened a TAC case and havent seen this issue since when i first set this up.
    Can you go to your devices portal (https://ipofise:8443/mydevices) login using your credentials and see if the device is registered or the status is set to lost. I would suggest deleting if it is there and try going through the process again.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE BYOD Microsoft SCEP NDES 802.1x The SCEP server returned an invalid response

    Hello, 
    Using ISE 1.2 with WLC and on-boarding with single SSID.  On occasion the error 'The SCEP server returned an invalid response' is received on the IPHONE being on-boarded - this is intermittent.   The issue resolves itself in time.  Any ideas on troubleshooting?  tnks

    On the NDES server regedit EnforcePassword = 0 and still having issues.  
    This has been done as well;
    It is possible for ISE to generate URLs that are too long for the IIS web server. In order to avoid this problem, the default IIS configuration can be modified to allow for longer URLs. Enter this command from the NDES server CLI:
    %systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/
     security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost

  • ISE used for BYOD and Corporate

    Hello
    I have a customer currently using EAP-PEAP on both their coporate laptop and wireless phones on different SSIDs, the radius servers are a pair of IAS servers. We have recently deployed ISE BYOD for them with a single BYOD SSID. Now they want to completely get rid of the IAS and move all Radius to ISEs but want to keep EAP-PEAP for laptops and phones.
    I am thinking about the authorization rules in the ISE, now they have 3 types of access using EAP-PEAP, a user must at least belong to the Employee AD group, but he may or may not belong to BYOD or/and PHONE groups as well. The authentiation results should be something like:
    1. if Corporate Laptop  then Permit Access
    2. if BYOD then NSP
    3. if Phone then Permit Access
    I am just wondering what is the best way to classify the devices (to decide the following action) without relying on profiling, Surely they all come from different SSIDs so I could check the WLAN ID to determine what action to follow, but that will need to make sure all the WLCs have the same WLAN ID for each SSID. Is there any better or neater way of doing this? What is the best practice for this kind of senario?
    Thanks

    If we're talking purely SSIDs, you can match the name of SSID
    For example here, I'm matching a SSID of "mlatosie".

  • Problems with BYOD onboarding with ISE 1.3 Internal CA

    This implementation is leveraging the ISE 1.3 internal CA to enroll certs to authenticated BYOD users. The authentication/authorization profiles and policies are configured for wireless supplicant provisioning for AD authenticated IOS and Android devices.
    •             When the test BYOD user with AD credentials tries to log in, they get redirected to the ISE BYOD provisioning portal.
    •             They get to step 3 and successfully install the ISE certificate.
    •             They then get a prompt to install the profile service (enroll an identity cert and load the wireless profile). This attempts to install for about 30 seconds and then fails with a message – ‘Profile installation Failed’ The request timed out.
    The only thing I noticed that may possibly be an issue is that they are using a wild card cert signed by digicert for the ISE identity cert. Or maybe something else needs to allowed in the provisioning ACL?
    I appreciate any assistance on this.

    A few questions here:
    1. Is this for wired or wireless BYOD
    2. What version of ISE and Controller / Switch are you running
    3. Post a screen shot of the Client Provisioning ACL
    4. Post a screenshot of your AAA policies in ISE
    The wildcard cert should not be OK as that will only be used for the HTTPs portion of the request while the EAP session would be based on the ISE CA cert. 
    Thank you for rating helpful posts!

  • ISE ver 1.1.2.145 advanced license consumption

    Hello,
    I am puzzled with this scenario when it comes to advanced licensing, any insight is greatly appreciated:
    I have an XP machine that I am using to access network though ISE authentication and authorization. My authentication is EAP-TLS with machine authentication to simulate company asset. Everytime the XP station connects, ISE consumes a Base license and an Advanced license. Why?? I am note using the profiled group, posture assessment, nor even onboarding in my Authz policy.
    Here is the authorization rule:
    Here is the licensing page:
    base                             advanced
    1/20
    1/20
    Here is the only active session from active session report:
    xp-test.ashour.local
    00:22:FB:1A:59:C2
    10.30.30.117
    dot1x
    EAP-TLS
    NotApplicable
    N/A
    WindowsXP-Workstation
    Running
    ise
    And here is the live authentication:
    Authentication Summary
    Logged At:
    December 10,2012 5:27:36.331 PM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    xp-test.ashour.local
    MAC/IP Address:
    00:22:FB:1A:59:C2
    Network Device:
    5508-WLC : 10.255.255.20 : 
    Allowed Protocol:
    Default Network Access
    Identity Store:
    Authorization Profiles:
    PermitAccess
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
    Authentication Result
    User-Name=xp-test.ashour.local
    State=ReauthSession:0affff140000005550c6598d
    Class=CACS:0affff140000005550c6598d:ise/144192099/4026
    Termination-Action=RADIUS-Request
    MS-MPPE-Send-Key=99:b0:49:f5:e1:eb:20:a6:2b:2a:97:fe:f1:68:a0:02:a7:98:3c:03:12:2a:90:70:3a:6c:fd:ed:1c:3b:bc:4b
    MS-MPPE-Recv-Key=8e:c8:88:f8:fb:75:02:3d:32:48:8a:b0:9e:7d:74:5d:04:f7:de:48:3c:b9:c3:e7:36:e5:05:f3:c7:6c:21:7d
    Related Events
    Dec 10,12 5:27:36.072 PM
    Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
    Radius authentication passed
    Dec 10,12 5:23:56.647 PM
    Radius authentication passed for USER:   CALLING STATION ID: 00:22:FB:1A:59:C2  AUTHTYPE:
    Radius authentication passed
    Dec 10,12 5:06:07.317 PM
    Radius accounting start
    Radius accounting start
    Authentication Details
    Logged At:
    December 10,2012 5:27:36.331 PM
    Occurred At:
    December 10,2012 5:27:36.331 PM
    Server:
    ise
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    xp-test.ashour.local
    RADIUS Username :
    host/xp-test.ashour.local
    Calling Station ID:
    00:22:FB:1A:59:C2
    Framed IP Address:
    Use Case:
    Network Device:
    5508-WLC
    Network Device Groups:
    Device Type#All Device Types#WIRELESS,Location#All Locations#ASHOUR RESIDENCE
    NAS IP Address:
    10.255.255.20
    NAS Identifier:
    ASHOUR-WLC1
    NAS Port:
    1
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    Default Network Access
    Service Type:
    Framed
    Identity Store:
    Authorization Profiles:
    PermitAccess
    Active Directory Domain:
    Identity Group:
    Profiled:Workstation
    Allowed Protocol Selection Matched Rule:
    Dot1X
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    Company asset
    SGA Security Group:
    AAA Session ID:
    ise/144192099/4026
    Audit Session ID:
    0affff140000005550c6598d
    Tunnel Details:
    Tunnel-Type=(tag=0) VLAN,Tunnel-Medium-Type=(tag=0) 802,Tunnel-Private-Group-ID=(tag=0) 30
    Cisco-AVPairs:
    audit-session-id=0affff140000005550c6598d
    Other Attributes:
    ConfigVersionId=5,DestinationPort=1812,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=0affff140000005550c6598d;28SessionID=ise/144192099/4026;,Airespace-Wlan-Id=1,ExternalGroups=ashour.local/users/domain computers,CPMSessionID=0affff140000005550c6598d,EndPointMACAddress=00-22-FB-1A-59-C2,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation,Device Type=Device Type#All Device Types#WIRELESS,Location=Location#All Locations#ASHOUR RESIDENCE,Model Name=5508,Software Version=7.2,Device IP Address=10.255.255.20,Called-Station-ID=f0:25:72:3d:3c:d0:ISE BYOD
    Posture Status:
    NotApplicable
    EPS Status:
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12568  Lookup user certificate status in OCSP cache
    12570  Lookup user certificate status in OCSP cache succeeded
    12554  OCSP status of user certificate is good
    12568  Lookup user certificate status in OCSP cache
    12570  Lookup user certificate status in OCSP cache succeeded
    12554  OCSP status of user certificate is good
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    22037  Authentication Passed
    12506  EAP-TLS authentication succeeded
    11503  Prepared EAP-Success
    Evaluating Authorization Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    15016  Selected Authorization Profile - PermitAccess
    11002  Returned RADIUS Access-Accept

    Hi,
    Please make sure that the profiling is disabled for this node, it seems as if the radius probe and the user agent is learned via the http probe.
    It also seems as if you are hitting this bug I understand the description doesn't line up but you may want to have TAC clarifiy if this isnt experience on authenticating networks:
    CSCub56607
    Cisco ISE applies a wireless access session against the Advanced license allowable user count when it should not
    The wireless session in question should be applied against the Base  license count. This issue has been observed in Cisco ISE, Release 1.1.1  where the following functions are set:
    •MAC Filtering is enabled on the SSID and the Central Web Authentication authorization policy is applied
    •Profiling is disabled
    •Posture is disabled
    •The device in question has not been registered via the My Devices Portal
    Note There is no known workaround for this issue.
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.3 and NAC

    I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
    They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
    Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
    Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
    Thanks for any advice/comments/experiences
    Jim

    Hi Jim-
    Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
    With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
    I hope this helps!
    Thank you for rating helpful posts!

Maybe you are looking for