3972 L12 BYOD Mydeviceportal
3972 L12 BYOD Mydeviceportal
Lab Overview
In this lab, you will configure and test the Cisco BYOD solution. You want to have users provide AD credentials only
once on a BYOD device. Once their credentials are validated, a certificate (specific to the endpoint) will be
provided and installed on the endpoint, allowing the endpoint to reconnect using a cert instead of credentials.
Lab Procedures
• Configure the BYOD Portal
If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:
Access the module in the lab guide titled Post Reset and follow the directions there.
1.1. On the Admin-PC, open Firefox and use the ISE bookmark to log on to the ISE GUI as admin/admin$Pwd.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 2 of 23
Note: Take a moment to review the three major phases of BYOD configuration: Prepare, Define, Go Live, and
Monitor.
1.3. You have accomplished the Prepare phase items in previous labs. So, move on to the Define phase by
clicking the link for web portals. Then choose My Devices Portals in the left column. You could also arrive
here via Work Centers > BYOD > Configure, or via Administration> Device Portal Management > My
Devices.
Attribute Value
Attribute Value
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 3 of 23
Attribute Value
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 4 of 23
Attribute Value
IP address
Policy server
Failure could
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 5 of 23
Tip: Enabling the Support Information feature is an easy way to provide the end user with a place to go to see
their MAC address. Consider using some of the instructional or optional fields on the My Devices and Add
Devices page or others to provide this information to the end user.
2.1. At the top to the right of the Description field, click Portal test URL.
2.2. Log in with the Active Directory user credentials of employee1/gklabs, accept the terms and conditions,
and click Sign On.
2.4. You have successfully logged into the My Devices Portal using Active Directory credentials. You will not be
adding any devices as of yet.
2.5. Close the browser tab and return to your ISE portal.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 6 of 23
In this task, you will configure certificate provisioning using the internal CA functionality Cisco ISE. You will then
configure a supplicant provisioning policy using that internal CA provisioning configuration.
Certificate Configuration
3. Provision certificates using an Internal CA.
3.1. In Firefox on the Admin-PC, log in to ISE as admin/admin$Pwd and navigate to Administration> System >
Certificates > Certificate Authority > Certificate Templates.
Parameter Description
Name BYOD_Cert_Template
State (ST) NC
Country (C) US
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 7 of 23
Now that the cert template has been created, you will assign the template using the client provisioning process.
4.1. Navigate to Work Centers > BYOD> Client Provisioning > Resources. Here you will see a repository of files,
some of which are downloaded from cisco.com and others are created by you, the admin.
Attribute Value
Operating Systems All < By selecting this, you can create a single policy for all operating systems
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 8 of 23
Attribute Value
SSID GK-XX < Replace the XX with your pod number. >
4.5. Before you save, expand the Optional Settings section. Do Not make any changes.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 9 of 23
Attribute Value
Other Conditions
In this task, you will configure the policy components for BYOD access.
6.1. Navigate to Work Centers > BYOD> External Id Sources > Certificate Authentication Profiles. Edit the
Preloaded_Certificate_Profile profile.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 10 of 23
Note: The Common Name field will be used to determine the users′ identity.
A requirement of the authentication process will now be to authenticate endpoints using EAP-TLS instead of PEAP.
Ensure that the Allowed Protocols list accommodates the EAP-TLS protocol.
7.1. Navigate to Work Centers > BYOD> Policy Elements > Results > Authentication > Allowed Protocols.
7.4. Also check the Allow Authentication of expired certificates option then click OK to the warning on expired
certificates.
7.5. Observe that PEAP (using MS-CHAPv2) is already allowed. Click Save.
Note: The Allow Authentication of expired certificates sounds like it is a bad thing to do but think about this
newer feature of ISE. It will allow a users′ system (such as a CEO) who hasn′t been on the network for a long
period (meaning their certificate hasn′t had time to renew and is therefore expired) to continue to the
authorization policies. You can then create an authorization policy that only allows them access to renew their
cert or provide an error page (web page portal) to the user informing them to call the service desk.
Name NSP_Onboard
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 11 of 23
ACL: BYOD_PROVISIONING
8.4. Go back to Authorization Profiles and click Add then configure as follows.
Common Tasks
9. Associate the authorization profile that was just created with an authorization policy.
9.1. Navigate to Policy > Policy Sets > Wireless > Authorization Policy.
Attribute Value
Status Enable
9.3. Click Done then edit the Employee_EAP-TLS rule and configure as follows.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 12 of 23
Attribute Value
Status Enable
In this task, you will verify the access lists on the WLC needed to support BYOD.
10.1. In Firefox, open a new tab and use the vWLC bookmark to log in to the WLC as admin/admin$Pwd.
10.2. Navigate to Security > Access Control Lists > Access Control Lists.
10.4. Click < Back and verify the BYOD_GUEST ACL looks as follows.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 13 of 23
11. The final piece of the WLC configuration may not be apparent at first but it is a step that is commonly
misunderstood. On iOS devices you have probably experienced what is known as the pseudo browser. It is the
browser that appears when you immediately connect to a network that contains a web portal. This pseudo
browser is not a standard browser and BYOD users will experience a browser error if not suppressed. The
following command is a CLI-only command that requires a reboot. Also note that after the reboot, the pseudo
browser will not appear, requiring any BYOD user to launch Safari from their device in order to view the captive
portal. This command has already been configured on your pod WLC, and is shown below for reference only.
In this task, you will use the iPad to connect to the secure WiFi network. At first, you will log in using the PEAP
authentication protocol and AD credentials. Then, after supplicant and certificate provisioning, the iPad will be
reconnected to the same WiFi using EAP-TLS.
12.1. Access your pod iPad. If necessary, directions can be found in the lab guide module titled iPad Access.
12.2. On the iPad, navigate to Settings > General > Network > Wi-Fi.
12.5. Select the Apple – iPad MAC address (look for Apple-iPad under Endpoint Profile) and then delete it using
the toolbar. Confirm Yes to delete.
12.6. On the WLC, navigate to Monitor > Clients. Find the entry for the iPad and scroll to the right and remove it.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 14 of 23
13.1. Navigate using your mouse to Settings> General > Network > Wi-Fi.
13.3. Locate and double-click the GK-XX network (replace XX with your pod #).
13.4. When prompted for credentials, enter it1/gklabs and click Join.
13.5. You will want to slow down through the following process in order to process all of the details that are
being provided on the iPad. Click Accept to the certificate pop-up.
Note: Every PSN that you connect to will present a certificate. For instance, you accepted this cert at this point
for the primary ise node. If this node fails and you connect to the secondary ISE node, another pop-up will
appear. Think about this for production environments and seamless failover. It makes good sense to use a
wildcard certificate as you have configured in an earlier lab.
14. Now you will need to launch Safari. In order to do this using the VNC, you will need to right-click anywhere in the
iPad.
14.2. In Safari, either click one of the preconfigured links or browse to any web site. You should be redirected to
the PSN.
Note: You may have to try a couple of different URLs before redirect will kick in.
14.3. Next, the BYOD portal will appear. This is normally where an error would appear if you didn′t make that
change to the captive-portal bypass stating that the browser was unsupported. Click Start.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 15 of 23
14.4. On the page that appears, enter My iPad in the Device Name field and click Continue.
14.5. On the next page, click the Launch Apple Profile and Certificate Installers Now button.
14.6. You will be asked to install the SISE lab Root CA cert. Click Install, then Install, then Install again on the
following pop-up, and then Done after the certificate has been installed.
14.7. On the Profile Service screen, also click Install, then Install; the Enrollment process should run and
complete.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 16 of 23
14.8. The final screen will show that the profile has been installed successfully. The name of the profile matches
the name for the NSP profile that you created earlier in the lab. Click Done when finished.
14.9. Verify that you are still connected to GK-XX on the iPAD. If not, reconnect.
15.1. Return to the Cisco ISE Admin Portal on the Admin-PC and navigate to Operations > RADIUS > Live Logs
and observe the authentication records.
15.2. Click the Details icon for the record that was assigned the Authorization Profile BYOD Access.
15.3. Observe the Overview section and notice the indicated sections below.
15.4. Examine the Steps section (on the right) and, towards the bottom, observe the 15048 messages indicating
Registered Endpoint, EAP authentication, and the Subject Alternative Name and the MAC address as the
Radius.Calling-Station-ID.
15.5. On the left-side of the screen, you will see that the authentication protocol used is EAP-TLS, confirming
that you are now using certificates to authenticate the endpoint.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 17 of 23
15.6. Close this tab and return to the Cisco ISE admin portal.
15.8. Find the iPads MAC, select it, and click the Edit button.
15.9. Verify that the iPad is now a member of the RegisteredDevices ID Group.
15.10. Expand Other Attributes and scroll down to the certificate subject attribute lines. Observe the certificate
details paying particular attention to the Subject Alternative Name values. Remember that you are
matching this SAN field with the endpoints actual MAC address (Calling-Station-ID).
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 18 of 23
Note: All the certificates have been issued. Selectively view a few of the entries. Your output may differ.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 19 of 23
In this task, you will perform the steps to mark a device lost and the stolen. You will examine Cisco ISE to see how
the endpoint is processed for each of these conditions.
17.1. On the Admin-PC in ISE, navigate to Administration> Device Portal Management > Blacklist.
17.2. Edit the Blacklist portal (default) and in Portal Settings, change the Certificate group tag to GKLABS GT.
18.1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
18.3. Scroll down and change the url-redirect-acl from BLACKHOLE to BLACKLIST. (Simply overtype the current
entry.)
19.1. On the Admin-PC, open a new tab in Firefox and use the bookmark My Devices Portal or browse to
https://mydevices.gklabs.com.
19.2. Log in with the credentials it1/gklabs, check I agree to the terms and conditions, and then click Sign On.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 20 of 23
19.4. Observe that the status of the iPad is either Pending or Registered.
19.7. Click Yes to acknowledge that you want to mark the device as lost.
20.1. On the iPad, make sure that you are connected to GK-XX.
Note: You should already observe an authentication success for the student iPad that has the resulting
Blackhole_Wireless authorization profile result. Cisco ISE issued a CoA when the device was marked lost. The
device automatically re-authenticated as it normally would and matched the Wireless Black List Default
Authorization Policy.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 21 of 23
20.4. Click BYOD Endpoints to reveal another way to view endpoint information.
20.5. Edit the iPad MAC address and observe that it is now a member of the Blacklist ID group.
21.1. On the Admin-PC, access the previously opened My Devices Portal tab.
21.2. If necessary, log in with the credentials it1/gklabs, check I agree to the terms and conditions, and then
click Sign On.
21.5. Click Yes to acknowledge that you want to reinstate the device.
22.1. On the iPad, make sure that you are connected to GK-XX.
Note: Once again, ISE has already issued a CoA when the device was marked as reinstated. Guest access should
now be restored.
In this task, you will mark a device as stolen and observe the endpoint and certificate status. You will then
reinstate and re-onboard the device. You will not go through the process of testing access while marked as stolen
in the interest of time.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 22 of 23
23.2. Log in with the credentials it1/gklabs, check I agree to the T and C, and then click Sign on.
23.5. Click Yes to acknowledge that you want to report the device as stolen; the status should change to Stolen.
24.2. In ISE, navigate to Live Logs; you should see the denied access record for the iPad.
24.3. Click the Authentication Detail section and note the following fields indicating the certificate has been
revoked.
24.4. Return to ISE and navigate to Administration> System > Certificates > Certificate Management > Endpoint
Certificates.
24.5. In the list of certificates, notice that the status is now Revoked for the iPad certificate. (You will need to
scroll to the far right to see Status.)
24.6. Using Context Visibility > Endpoints, find the iPad and verify that it is once again a member of the Blacklist
ID Group.
25.1. Notice in the toolbar that there is no option to reinstate or un-revoke the certificate, then return to the My
Devices Portal.
25.2. Log in with the credentials it1/gklabs, check I agree to the T and C, and then click Sign on.
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 23 of 23
25.6. Click yes to the pop-up; the status is now Not Registered.
26.1. Return to your iPad and select your GK-XX SSID; you should notice that it is not possible to join the GK
WLAN.
26.2. In the iPad, navigate to Settings > General > Profiles and delete the two profiles found there by choosing
Delete Profile and then Delete.
26.3. Return to the Wi-Fi list and attempt to join GKLABS-XX. This should succeed prompting you for credentials.
26.7. You should be redirected to the BYOD portal to begin the process of onboarding again.
26.8. Go through the process of onboarding as before. Reference the previous lab steps, if necessary.
26.9. Once complete, make sure you are connected to the GK-XX SSID and then proceed to cisco.com to verify
network access.
26.11. The iPad should have been applied to the BYOD Access Authorization profile. To the right of the device
should also be the identity group RegisteredDevices.
Lab Complete
https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017