Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.

My team built a Cisco Identity Services Engine ISE demo lab designed to secure mobile devices such as iPads, Androids, etc. We ran into a few snags however in the end got the system to work nicely. Here is a guide to help you build a Cisco ISE lab for securing mobile devices.

First the assumption is you have a standard Cisco ISE configuration built. In our lab, we use Cisco UCS to host a virtualized ISE appliance, Active Directory and other services. For hardware, we had a Cisco 3560 switch running 12.2 55E (downgraded from 12.2 58), ASA 5505 (for outbound NATing, info HERE) and Cisco Wireless network consisting of two APs and WLC appliance (NOTE: WLC MUST run 7.X code for Radius between ISE and WLC to work!!!). The ISE system was synched with AD for three identity groups (employees, contractors and guests). We used the default 90-day demo license and enabled all profiling probes. The wireless system was built in a standard fashion.
ISE

To start off, its VERY important to check the time in AD (windows clock) and ISE (show clock command). If time is not synched, your radius authentication will fail with a variation of funky error messages (see ISE monitor image above). Once groups are added, test AD users in ISE under external identity store, AD, Connect to make sure the AD / ISE integration is working. Next go to Authentication and verify you have a default 802.1x policy. Click the little triangle and change the ISE identity sources to AD (see below). This will tell ISE to query AD for any device accessing the network using 802.1x. Next go to Network Devices under Administration and add a new network device. Fill out the form for your Wireless LAN controller and configure a shared radius key (cisco guides explain this).

On WLC, go to security and add ISE for radius authentication and accounting. Make sure to match the shared secret used in ISE! Next create the WLAN for your environment. Under Security and Layer 2 in your WLAN, make sure Auth Key Mgmt is set to 802.1x. Under the AAA Server tab add your services via selecting from the scroll down section or manually. Under advanced, check AAA override and scroll down to radius NAC under NAC state. Enable your WLAN and save.

Back in ISE, go to Profiling under Policy and select the mobile profiles you want to include in your lab. Each profile by default will state “Use Hierarchy”. Change this to “Create Matching Identity Group” (see image below). 

Next go to Rules under Policy and click down into the Authorization Profiles section under Authorization. This section tells what to do with authorized users. In our ISE lab, we created an iPad Employe and iPad Guest policy which employees were put into VLAN 10 and guests in VLAN 20. You can put users on the same vlan and apply ACLs for control, create a redirection if posture is desired or other combinations of security. Spend time learning the different options for authorization. 

The final step is buiding your ISE Authorization policy under the Policy tab. We created rules for specified devices as the Identity Source such as Apple-iPad and Apple-Device as seen in the default profiling section. NOTE: The device profiles you changed to “Create Matching Identity Group” will appear here. Under conditions, click new condition, select your AD, select = and whichever group of users should apply. Below is our ISE policy covering general Apple Devices, Ipads, Iphones and PC workstations for employees and guests. An example is the Identity Group is Apple-iPad, Condition is AD users = to AD_group_employes then apply iPadEmployees which means all iPads used by Employees will end up in Vlan 10 as specified by the iPadEmployee policy.

Hopefully this guide helps you with your ISE mobile device testing.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)
Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc., 5.0 out of 5 based on 5 ratings

21 thoughts on “Configuring Cisco ISE With Wireless For Mobile Device Access Control : iPad Android Etc.”

  1. Thank you for such a fantastic web site. On what other blog could anyone get this kind of information written in such an insightful way? I have a presentation that I am just now working on, and I have been looking for such info.
    My travel blog Top Travel Destinations.

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
  2. Yes this is very great, but please tell us know more about final test, I mean how the ISE know about the user using iPad I mean if I bring my iPad and try to connect company Wifi with a WPA key that I configured on my ipad how ISE know that I am using this ipad, and also I know that we can do the same with the wired infra, and my question is the same if I bring my Mac and connect to our 3750 SW port how ISE know that its my Mac

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  3. Hi Bel. Your MAC will first move from unknown to a general apple device profile based on attributes obtained while first connecting (example the manufacture of the NIC card). Once your attempt to access the web, more probe information is obtained such as DHCP requests that help ISE determine what your device is. Once the weight of the checks in the category for MAC laptops is reached, that will out weigh the general MAC category which will move your device from a general apple device to MAC laptop.

    The different attributes for each category checks can be found under profiling and clicking the pre-populated categories. If a category isn’t available, you can always change a unknown device into its own category (IE you have a unknown printer and want to use the attributes found by ISE to create XYZPRINTERS so future XYZPrinters are auto discovered).

    I wrote a “how profiling works” blog on this site as well that goes into details on this. Let me know if you have any other questions. Thanks!

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
  4. Another fine article. However, concerning “WLC MUST run 7.X code for Radius between ISE and WLC to work!!!” I must say that this is not completely correct. We are running ISE in combination with WCS 5.2 and WiSMs running 4.2 code and it works fine as far as RADIUS is concerned. Cisco recommends version 7, however. As far as I know 7.x code is needed for NAC support.

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
  5. Correct I worded things wrong. WLC must run 7.x for access control via NAC … not standard radius. Thanks for pointing that out.

    I had some questions about none Cisco controllers such as Aruba and was told you can add them in ISE however it won’t work until 1.1 (there is some bug). I haven’t tested this yet but plan to do so now that I have 1.1 beta in the lab.

    Thanks again for reading.

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. Hi,

    Very interesting article, thanks. I was wondering what EAP protocol(s) can be used/are required by the mobile device for authentication during device profiling?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  7. EAP protocols can be used on mobile devices so they can authenticate and use secure wireless networks. Most people only use a simple password to get on the wireless network. However, EAP adds a layer of security.

    There are several different EAP standards, but essentially they require radius authentication and a certificate. Radius authentication is handled by a device like Cisco ISE. In fact, this is one of the most common uses for ISE. Certificates on mobile devices can be installed manually or automatically through active directory or a mobile device management solution. With both of these pieces, mobile devices can use EAP authentication.

    There are several EAP protocols, the types that can be used depend on the mobile device. As a general rule of thumb most devices support EAP-PEAP, EAP-TLS, and EAP-TTLS.

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  8. Are you aware if ISE works with FlexController Configuration?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Great Question! One of our customers is using one and not that happy at the moment (to be honest). Currently HREAP breaks most ISE functionality however I spoke with the developers at Cisco and was told the following.

      “It used to create problems with local switching, but we have good support now. The WLC 7.2-MR1 and ISE 1.1.1 releases provide full functionality (profiling, posture, CoA) over an HREAP tunnel with local switching (central was already supported). WLC software is available today and ISE software should be available near the end of this month.”

      So short answer is, it will be fully supported at the end of the month. We are running ISE 1.1 MR (maintenance release) right now and its pretty rock solid. Not sure if you will be at Cisco live, but we will have 7.2 integrated with ISE 1.1.1 at our booth. I’ll post the booth info shortly. Stop by and check it out.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  9. ‘ve been playing around with ISE demo and I am very impressed!!!
    After trying different scenarios with my co-workers I came to a point where we find it kind of buggy.
    I have rules to redirect unknown users to pasturing through web where they download NAC CLIENT and everything works fine.
    Here’s the catch:
    On a windows 7 machine (connecting wirelessly with built in wireless client) they are stuck on posture pending if they do the following:
    They connect – open up web browser – ise redirects them to download the client they hit install and the warning about installing the client pops up – that moment the user decides to close the browser (it’s most likely to happen when you have 5000+ users) – dissconnects from network and tries to re-connect again. NOW – when they open up the web browser ISE says unable to allow access to network and all that error.
    So it’s not letting them download the nac agent any more.. no matter what they do connect – reconnect wait 2-3 minutes nothing, only after a period of time they are able to get the NAC client installation page.

    NOTE: this works totally fine on a windows xp machine with the INTEL PRO SET wireless utility.

    It’s not a big thing but when you have 5000+ clients and you want to introduce them to something new it will cause alot of helpdesk calls and all that you know how it goes.

    Thanks in advance.

    P.s I can create a short video of the whole process.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Hi Ed,

      I asked a few of our deployment guys. I recall a while back having a problem with the Anyconnect client via VPN and Windows 7 however that was for NAC appliances not ISE. One engineer mentioned there is a remediation timer with NAC that if the user interrupted may cause something like this but again NAC appliance. We would be interested in seeing the video if possible. Thanks!

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  10. Sorry for late reply.
    Unfortunately my WLC demo expired today so I have to return it to CISCO.
    Anyway the problem was it would not go to the process where you install the agent again but it would just get stuck saying ISE IS NOT ABLE TO DETERMINE YOUR NETWORK ACCESS, that’s where it would stay for like 10 minutes.. it doesn’t happen in XP i have tried it couple of times.
    please if anything just let me know on twitter @edrtz.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  11. Hi there, I enjoy reading all of your article post. I like to
    write a little comment to support you.

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  12. Greetings! Very helpful advice in this particular article!

    It is the little changes that make the biggest changes.

    Many thanks for sharing!

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  13. Hіya! Quicκ questіon that’s totally off topic. Do you know how to make your site mobile friendly? My weblog looks weird when browsing from my apple iphone. I’m trying
    tο find a theme or plugin thаt might bе able to fiх
    thіѕ рroblem. If уou havе any rеcommеndations, please ѕhаre.

    Many thanks!

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  14. I could not resist commenting. Very well written!

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Hi. I’m not sure what you mean. ISE profiles devices that connect to the network. Active Directory is a database that stores user data. ISE can validate user identity via reading user groups from Active Directory and uses that and other factors to provision access. For example, ISE can check if somebody is in active directory and using a iPad before giving specific ipad access. The active directory check is separate from how ISE profiles the device.

      Please elaborate on what you are looking for and I’ll try to help.

      VN:F [1.9.22_1171]
      Rating: 1.0/5 (1 vote cast)
  15. how secure is a Flexconnect with ISE implementation?

    my design is AP connecting across a WAN to Flexconnect WLC (5500) using CAPWAP tunnel to the WLC. From WLC to ISE, Radius for authenticates against AD username and PW.

    Is this the most secure way of delivering a true BYOD solution?

    My test design needs to allow local switching for guest services, and Corp user, using central switching.
    Using VLANS and ACL for routing and control, CAPWAP for encryption and tunneling. Raduis as the AAA methond.

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    1. Looks pretty good. What are you doing regarding endpoint remediation? Are you enabling checks for laptops/desktops? What about mobile devices? Are you using a MDM (mobile device management)? Many of our customers want to verify laptops/desktops have AV, system updates, etc as well as making sure mobile endpoints are not jailbroken, have PINs, encryption, etc. Also are you enforcing Data Loss Prevention for email that goes to people bringing their own device? Just some other ares you haven’t hit on yet that make up a strong BYOD solution.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.