ISE device registration webauth with wlc 7.0 lwa

Similar Messages

• ISE CWA WebAuth with WLC

  Hi all,
  I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
  as the redirect page.
  I'm using ISE 1.1.2 and WLC version 7.3.101
  1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

  Hi,
  Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
  This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
  As far as certs if you are using mobile devices you may want to consider 3rd party certs.
  Let me know if that helps.
  Tarik Admani
  *Please rate helpful posts*

• AADSync and Azure Active Directory Device Registration Service

  Now I try to implement Azure Active Directory Device Registration Service with AADSync.
  According to step-by-step guide, it has to execute "Enable-MSOnlineObjectManagement" cmdlet.
  Step-by-Step Guide for On-premises Conditional Access using Azure Active Directory Device Registration Service
  https://msdn.microsoft.com/en-us/library/azure/dn788908.aspx
  Unfortunately, AADsync doestn't have "Enable-MSOnlineObjectManagement", and can't find similar cmdlet.
  I'm looking for cmdlet for device object synchronization.
   Does anyone know alternate cmdlet?

  Hi,
  Thanks for your post.
  You need to use the command import-module DirSync in PowerShell, then running the command "get-command -m Microsoft.Online.Conexistence.PS.config", you will find the cmdlet "Enable-MSOnlineObjectManagement"
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Aup+device registration

  Hi All,
  The requirement is to have a corporate user go through the guest portal to register the device and accept the AUP to get full access. We tested with a guest portal with AUP enabled but device registration page desent appear and once AUP is accepted because the device is not registered it dosent go to the next authz rule to get full access. We want to avoid the self provisioning flow because network assistance wizards are not necessary.When self provisioning is enabled device registration page appears and then download of the setup wizards and for some reason AUP doesnt show in the portal page.
  how do we enable device registration only with AUP accept page during the on boarding without any network assistance getting downloaded?
  Thanks

  Implementing an Acceptable Use Policy for Employees
  You can require employees to acknowledge an acceptable use policy when using the My Devices portal.
  Customizing the Acceptable Use Policy for Employees
  If  you require employees to acknowledge an acceptable use policy, you must  update the templates to reflect your company's policy.
  Step 1 Choose Administration > Web Portal Management > Settings > My Devices > Language Template.
  Step 2 Click the language for which you want to apply the policy.
  Step 3 Click Configure Acceptable Use Policy Page and update the title and text to follow your company's policy.
  Step 4 Click Save.

• ISE 1.2 device registration with MAB only, no client provisioning

  Hello,
  Is it possible for AD users (no guest users) to walk through the Device Registration Self Registration without Client Provisioning ?
  I do not want to push certificates or native supplicant profiles to client devices.
  I would just want AD users to register their MAC address, if MAC is not known. Add the MAC to some sort of group.
  Then if MAC is known (in this group), skip registration and allow full access to the VLAN.
  Right now, i am stuck on the registration portal that says "The system adminstrator has either nog configured or enabled a policy for your device". ?? It is true that my Client Provisioning screen is empty.
  Am i really obliged to use native supplicant provisioning to register my device ?
  GN

  Hi
  Device Registration web auth is a process where you can configure user without client provisioning.
  In this scenario, the guest user connects to the network with a wireless connection that sends an initial MAB request to the Cisco ISE node. If the user’s MAC address is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, ISE responds with a URL redirection authorization profile. The URL redirection presents the user with an AUP acceptance page when the user attempts to go to any URL.
  1. A guest user connects to the network using a wireless connection and has a MAC address that is not in the endpoint identity store or is not marked with an AUP accepted attribute set to true, and receives a URL redirection authorization profile. The URL redirection presents the user with a AUP acceptance page when the guest user attempts to go to any URL.
  2. If the guest user accepts the AUP, their MAC address is registered as a new endpoint in the endpoint identity store (assuming the endpoint does not already exist). The new endpoint is marked with an AUP accepted attribute set to true, to track the user’s acceptance of the AUP. An administrator can then assign an endpoint identity group to the endpoint, making a selection from the Guest Management Multi-Portal Configurations page.
  3. If the guest’s endpoint already exists in the endpoint identity store, the AUP accepted attribute is set to true on the existing endpoint. The endpoint’s identity group is then automatically changed to the value selected in the Guest Management Multi-Portal Configurations page.
  4. If the user does not accept the AUP or an error occurs in the creation of the endpoint, an error page appears.
  5. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC.
  6. After the CoA, the NAD/WLC reauthenticates the user’s connection with a new MAB request. The new authentication finds the endpoint with its associated endpoint identity group, and returns the configured access to the NAD/WLC.

• ISE 1.2: Employee with personal device registration

  Hi experts,
  I'm aware of this discussion https://supportforums.cisco.com/discussion/11962026/ise-12-device-registration-mab-only-no-client-provisioning#comment-9371166
  but looking for a detailed configuration to get following to work:
  Employee's have access to the network with their corporate devices. No problem
  Now employees need to be able to use their own mobile devices to get access. There is no definition of what devices are allowed.
  II guess to let employees register their private devices with  MAC address on MyDevice portal would be the most sufficient solution.
  Does anyone have a detailed configuration or link how to achieve that?
  Thanks,
  Frank

  Having BYOD access be based on mac address only is not really ideal and also not secure. A mac address can easily be spoofed and consequently your security policy can be bypassed. If you have a PKI environment you can take the EAP-TLS with SCEP approach:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html
  If you don't have a PKI environment and don't want to mess with certificates you can still use a more secure method than MAC addresses. For instance, you can perform PEAP user authentication. You can create a "special" BYOD AD group and place the authorized users there. Then they can use their AD credentials to authenticate. In the authorization policy you can limit the access for those type of authentications via dACLs (switches) or named access lists (WLCs)
  Hope this helps!
  Thank you for rating helpful posts!

• Guest WebAuth with ISE and WLC

  I have a couple of issues with this solution:
  a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?
  b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.
  I think the second issue is in some way related with the first one.
  Thanks in advance
  Daniel Escalante

  I am trying to figure out the protocol sequence:
  1) The PC client gets IP address from the DHCP (anchor WLC in this case)
  2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE
  3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.
  4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed
  5) The user type in its credentials
  6) the Successful Login message is received with the WLC IP address
  7) the user is able to browse the internet
  The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.
  I think the message with the WLC address should not be sent, only the ISE message.
  In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.
  I will appreciate your assistance to clarify the event sequence and proper functionality
  Thanks in advance.
  Daniel Escalante.

• Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

  Dear experts,
  We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.
  The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.
  All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.
  Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.
  Thanks in advance.
  Jay

  Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.
  The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.
  Anyways, thanks for all the support.

• How do I skip the Device Registration Portal for Cisco ISE web portal

  I have set up a sponsor and guest portal system for wireless guest access to the internet using ISE v1.2.0.899 virtual and WLC 5500 runninng 7.4. After logging into the intial page, the guest user is directed to the Device Registration Portal. Entering a MAC address value puts the user in a continuous failing loop. But, if they just hit the "continue" button at the bottom of the page, they will be directed onward and have internet access as was intended. I have no requirement for guest users to register their devices. What do I need to do to remove the device registration portal from the log on sequence for guest user access? Thanks!

  Hello Scoot,
  you make a list of the MAC add of coperate devices. and set a rule if authentication doesn't happen only these devices can do the self  registration.
  I hope this works for you

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• ISE 1.2 Guest Portal - Device registration portal

  Hello,
  I have a problem with the following setup:
  - Cisco ISE 1.2 (latest patch)
  - Cisco WiSM with 7.0.220.0 (first generation)
  I have build Guest access via ISE. Because the WiSM's highest version is 7.0.X I used LWA with a redirect to the ISE guest portal. When using the Guest SSID with a iPad the client is redirected to the ISE guest portal and the user can enter his credentials (deliverd by the Sponsor). After clicking "Sign On" the client is forwarded to the "Device Registration Portal" of ISE and need to register his MAC address.
  We have try a lot of differend settings but we cannot switch off the forward to the "Device Registration Portal". We only want to use the Guest User portal.
  Please can someone help me to find a solution for this problem?
  Thank you in advance.

  I know this might be reaching, but have you turned off the My Devices portal?
  If so, an idea of the different settings you have already tried might help.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• ISE 1.2 Device registration problem

  I'm trying to get the device registration to work, but keep getting "Device not supported" or "Unable to obtain the user information".
  I cannot seem to find any information on those errors from the manuals.
  What are the possible solutions to get it working ? If the device is not supported, does it mean, that the profiling failed or something else ?
  ISE 1.2

  Hi Harri,
  What kind of authentication are you doing for these users? MAB, Dot1x? Also is this issue seen with all devices, or just a few ( i.e. same type, same vendor...)?
  If this is self-registration for guest users, there is a known issue with using Custom Guest Portal. The defect details are given below :
  https://tools.cisco.com/bugsearch/bug/CSCui77336/?reffering_site=dumpcr
  Therefore if you are using the custom portal, can you instead try with a default portal?
  Thanks,
  Aastha

• Ise 1.2 Device Registration not auto filling the MAC field

  Hello
  I have installed 1.2 and when guests login, they get the new (not improved imo) device registration portal, but the field where they have to enter the MAC adress is empty, I can remember it was prefilled in previous ISE versions.
  Is this normal beheavior on 1.2? I have configured calling station ID on MAC instead of IP, any other things that I need to configure to get this working?
  90% of the users doesnt know what a MAC adress is, or where to find it.
  Greetings
  Steven

  Peter, I am glad you like my slides (although not sure I ever published this version outside Cisco!).
  Steven, It sounds like you have enabled the option in the Guest Portal to allows Device Registration.  This option is intended to be used by Guest accounts only and does NOT support auto-populate of MAC address.  This was a very limited feature introduced in 1.0.
  This feature should not be confused with the DRW or NSP flows for device registration.  For the purposes of device registration with web auth, both CWA+DRW and CWA+NSP flows are working in ISE 1.2 Patch 7.  However, CWA+NSP flow will not work for guest user accounts if enable the Supplicant Provisioning option in the web portal. The intent of the NSP flow is for employee accounts doing BYOD, and not for guest users.  That said, it will still work if redirect successfully authenticated guest users to NSP using the Network_Access:UseCase=Guest_Flow condition (and optional match on Guest role).
  I would recommend CWA+DRW option for Guest users as it is simpler, more streamlined, and you can specify a unique Identity Group such as "GuestEndpoints" to these devices.  This makes future cleanup easier and maintains them separately from employee RegisteredDevices.  ISE 1.2 ERS API can be used to programmatically  to delete these endpoints periodically.
  Hope that helps to clarify.

• ISE 1.3 IOS 8.1 Unsupported Browswer Error in Device Registration Page

  I recently upgraded to ISE 1.3.  We are now getting unsupported browser errors in the device registration redirect page on ipad and iphone IOS devices running 8.1.  We are running 7.6 as 8.0 was unstable with ISE1.2.1.  The device registration redirect page worked fine with these same devices in ISE 1.2.1.  Is there a work around short of turning off registration?  The "mydevices" page seams to work, but does not populate the mac addresses of the devices like the device registration page does.

  Are you using Safari or another browser? You need to use Safari as Chrome will show an error message like unsupported browser...
  I did the NSP with an iPad iOS 8.1.1 and ISE 1.3 and it worked fine...
  ISE 1.3 compatibility was just released today and says 8.0 is officially supported; does not mention 8.1:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/compatibility/ise_sdt.html
  Patrick

• ISE client provisioning with wlc 7.3

  Hi Experts,
  i have the following challenge. I will try to be synthetic.
  ISE 1.1.2.145
  WLC 7.3
  Wireless clients, dot1x eap peap, posture required.
  Clients should download the nac agent through redirection.
  So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:
  "https://ip:port:8443/.....action=cpp
  the access list is correctly applied on wlc.
  The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
  In case you wonder, the access-list on wlc:
  permit icmp, dns
  permit traffic to the PDPs
  deny all else.
  Thanks
  Andrea

  You may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.
  You may want to consider using this option (however I do not if this will work for radius webauth redirection) -
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000100.html
  Thanks,
  Tarik Admani
  *Please rate helpful posts*