ISE BYOD

-

 

BYOD in the guest world means I bring my device and get guest internet access, simple done. ISE can do guest for general BYOD.
BYOD in the ISE world specifically means for native supplicant and certificate provisioning. Get a client securely onto the network using EAP-TLS. It has nothing to do with guest (it does use guest portal to start the process). It primarily used for wireless user internal network access.

For a typical BYOD use cases, BYOD is allowed for employee users and potentially for contractor user.

BYOD may simple as allowing personal endpoints connect to the network without automated onboarding process.

However, the benefit of ISE BYOD flow is that ISE can assist the end user to onboard their endpoints by provisioning CA signed endpoint certificate as well as configure the network interface and OS native supplicant to utilize the provisioned certificate for network access. The other benefit of ISE BYOD is the ‘My Devices Portal’, which allows end users to Create/Read/Update/Delete (CRUD) on endpoints that they own.


Two BYOD deployment flows: Single-SSID BYOD and Dual-SSID BYOD

If the goal is to minimize number of SSIDs, there are no separate guest WLAN, or if the guest access is using hotspot access (rather than named guest account access) then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time.

If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.

NSA (Network Setup Assistant) assists the user to generate certificate pair, install signed certificate, and configure network and proxy settings on the endpoint.

For Windows and macOS, the NSA is located on the ISE PSN itself. When the endpoint goes through onboarding flow, ISE instructs the user to download and install NSA, which in turn guides the user through the BYOD process. 

The way Apple iOS work is different from other OS in that it doesn’t require ISE NSA application for BYOD flow. Rather ISE will leverage iOS’ existing capabilities (Apple Over-the-air (OTA)) to generate key pair, install signed certificate, and configure WiFi settings. Even though ISE is leveraging OTA, iOS gets instructions from ISE in the form of profiles which gets installed on the iOS. As there are no applications to download, iOS can be onboarded without access to the Apple App store.

For Android devices, ISE will force installation of NSA during the onboarding flow if it is not installed already.

BYOD flow on Chromebook devices is different from other OS

here are three EAP Types that can be used; EAP-TLS, EAP-PEAP-MSCHAPv2, and EAP-FAST. With EAP-TLS ISE identifies itself by providing EAP Identity certificate to the endpoint, once the ISE identity certificate is validated by the endpoint, the endpoint will provide its own endpoint identity certificate that was previously signed by ISE. Once ISE confirms its validity, then the endpoint is authorized on to the network. With EAP-PEAP-MSCHAPv2, ISE identifies itself by providing EAP Identity certificate to the endpoint, once the ISE identity certificate is validated by the endpoint, the endpoint provides a combination of username and password that ISE can authenticate. Once ISE validates the user, then the endpoint is authorized to the network. In both EAP types, first ISE provides its own certificate to the endpoint and the main difference is whether the endpoint provides a digital certificate or username/password. ISE supports both endpoint identity, but it is recommended to use endpoint certificates for better security and manageability.

ISE BYOD certificates are tied to the endpoint MAC address

ISE can leverage MDM/EMM to check posture of the mobile endpoints prior to providing full network access.

When My Devices Portal is used in conjunction with MSM/EMM, the portal allows end user to issue MDM/EMM commands such as remote lock, remote wipe, corporate wipe, etc.


Single SSID flow:

As its name signifies there is only one SSID used for the onboarding, which is secured by 802.1X. User initially connects using username/password and is registered then optionally can get a signed endpoint certificate issued to the endpoint which is used to reconnect to the same SSID and gets elevated access.







Dual SSID flow:

In the case of dual-SSID flow, user initially starts on one SSID which may be shared with guest access. But once onboarded, the endpoint is reconnected to the secured SSID to gain elevated access. The initial SSID may be secured via WPA-PSK if the WLC supports WPA-PSK and ISE-NAC (RADIUS-NAC on the same WLAN).

Note that when guest portal is used for BYOD flow, all employee users will go through the same BYOD portal as the BYOD portal is tied to the guest portal. Instead of using the BYOD portal that is tied to the guest portal as seen above, multiple BYOD portal can be used based on authorization condition. This flow allows, for instance, different user groups to have different BYOD portal and also allows each groups to register the devices into different endpoint groups.
























Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more