0% found this document useful (0 votes)
81 views23 pages

3972 L12 BYOD Mydeviceportal

The document provides instructions for configuring a Bring Your Own Device (BYOD) solution using Cisco Identity Services Engine (ISE). The key steps include: 1. Configuring the My Devices portal in ISE to allow users to register devices using Active Directory credentials. 2. Configuring certificate provisioning in ISE using an internal certificate authority (CA) to issue device certificates. 3. Creating a native supplicant provisioning policy in ISE to assign the device certificate template and configure wireless security settings. The full instructions will allow users to register BYOD devices once using AD credentials, after which the devices will reconnect using certificates provisioned by ISE rather than credentials.

Uploaded by

Josel Arevalo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
81 views23 pages

3972 L12 BYOD Mydeviceportal

The document provides instructions for configuring a Bring Your Own Device (BYOD) solution using Cisco Identity Services Engine (ISE). The key steps include: 1. Configuring the My Devices portal in ISE to allow users to register devices using Active Directory credentials. 2. Configuring certificate provisioning in ISE using an internal certificate authority (CA) to issue device certificates. 3. Creating a native supplicant provisioning policy in ISE to assign the device certificate template and configure wireless security settings. The full instructions will allow users to register BYOD devices once using AD credentials, after which the devices will reconnect using certificates provisioned by ISE rather than credentials.

Uploaded by

Josel Arevalo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Page 1 of 23

Lab 12: BYOD and My Device Portal

Lab Overview
In this lab, you will configure and test the Cisco BYOD solution. You want to have users provide AD credentials only
once on a BYOD device. Once their credentials are validated, a certificate (specific to the endpoint) will be
provided and installed on the endpoint, allowing the endpoint to reconnect using a cert instead of credentials.

Estimated Completion Time


1 hour 30 minutes

Lab Procedures
• Configure the BYOD Portal

• Configure Certificate Provisioning

• Configure ISE Policies

• Verify the WLC

• Register the Employee iPad

• Work with My Device Portal

Perform Only If You Have Done a Reset

If you have performed a reset to this lab or are using the Global Knowledge e-Labs (meaning that you are
accessing the system after you have attended the 5 day course), you will need to prepare or verify the
environment. Perform the following:

Access the module in the lab guide titled Post Reset and follow the directions there.

Task 1: Configure the BYOD Portal

1. Configure the Portal for BYOD.

1.1. On the Admin-PC, open Firefox and use the ISE bookmark to log on to the ISE GUI as admin/admin$Pwd.

1.2. In ISE, navigate to Work Centers > BYOD > Overview.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 2 of 23

Note: Take a moment to review the three major phases of BYOD configuration: Prepare, Define, Go Live, and
Monitor.

1.3. You have accomplished the Prepare phase items in previous labs. So, move on to the Define phase by
clicking the link for web portals. Then choose My Devices Portals in the left column. You could also arrive
here via Work Centers > BYOD > Configure, or via Administration> Device Portal Management > My
Devices.

1.4. In the right pane, edit My Devices Portal (default).

1.5. Modify the portal as follows.

My Devices Portal Settings and Customization

Attribute Value

Portal Name My Devices

1.6. Expand Portal Settings and configure as follows.

Attribute Value

HTTPS Port 8443

Allowed interface Gigabit Ethernet 0

Certificate group tag GKLABS GT

Fully qualified domain name (all FQDN) mydevices.gklabs.com

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 3 of 23

Endpoint identity group RegisteredDevices

Identity source sequence MyDevices_Portal_Sequence

1.7. Expand Login Page Settings and configure as follows.

Attribute Value

Maximum failed login attempts before rate limiting 5

Time between login attempts when rate limiting 2

Include in AUP page Enabled: as link

Require acceptance Enabled

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 4 of 23

1.8. Expand Support Information Page Settings and configure as follows.

Attribute Value

Included Support Information page Enabled

Fields to include MAC address

IP address

Browser user agent

Policy server

Failure could

Empty fields Hide field

1.9. Scroll up and click Save.

Basic Portal Customization


1.10. Click the Portal Page Customization text at the top of the page.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 5 of 23

1.11. Customize the portal by uploading the following images.

Image File Location

Logo (Mobile) Desktop\ISE\Portal Files\ gkl-logo.png

Logo (Desktop) Desktop\ISE\Portal Files\ gkl-logo.png

1.12. Scroll up and click Save.

Tip: Enabling the Support Information feature is an easy way to provide the end user with a place to go to see
their MAC address. Consider using some of the instructional or optional fields on the My Devices and Add
Devices page or others to provide this information to the end user.

2. Perform an authentication test using the Portal Sequence just configured.

2.1. At the top to the right of the Description field, click Portal test URL.

2.2. Log in with the Active Directory user credentials of employee1/gklabs, accept the terms and conditions,
and click Sign On.

2.3. Press Continue on the Post Access page.

2.4. You have successfully logged into the My Devices Portal using Active Directory credentials. You will not be
adding any devices as of yet.

2.5. Close the browser tab and return to your ISE portal.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 6 of 23

Task 2: Configure Certificate Provisioning

In this task, you will configure certificate provisioning using the internal CA functionality Cisco ISE. You will then
configure a supplicant provisioning policy using that internal CA provisioning configuration.

Certificate Configuration
3. Provision certificates using an Internal CA.

3.1. In Firefox on the Admin-PC, log in to ISE as admin/admin$Pwd and navigate to Administration> System >
Certificates > Certificate Authority > Certificate Templates.

3.2. Edit the EAP_Authentication_Certificate_Template and configure as follows.

Parameter Description

Name BYOD_Cert_Template

Description BYOD certificate template for GKLABS

Organizational Unit (OU) BYOD

Organization (O) GKLABS

City (L) Cary

State (ST) NC

Country (C) US

Subject Alternative Name MAC Address

Key Type RSA

Key Size 2048

SCEP RA Profile ISE Internal CA

Valid Period 730

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 7 of 23

3.3. Scroll down and click Save.

4. Configure Client Provisioning and Native Supplicant Provisioning.

Now that the cert template has been created, you will assign the template using the client provisioning process.

4.1. Navigate to Work Centers > BYOD> Client Provisioning > Resources. Here you will see a repository of files,
some of which are downloaded from cisco.com and others are created by you, the admin.

4.2. Click Add > Native Supplicant Profile.

4.3. In the fields provided, enter the following.

Attribute Value

Rule Name BYOD Cert Provisioning

Operating Systems All < By selecting this, you can create a single policy for all operating systems

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 8 of 23

4.4. Under Wireless Profile(s), click Add and fill in as follows.

Attribute Value

SSID GK-XX < Replace the XX with your pod number. >

Security WPA2 Enterprise

Allowed Protocol TLS

Certificate Template BYOD_Cert_Template

4.5. Before you save, expand the Optional Settings section. Do Not make any changes.

4.6. Click Save, then scroll down and click Submit.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 9 of 23

5. Configure the Client Provisioning Policies.

5.1. In the left pane, click Client Provisioning Policy.

5.2. Edit the iOS rule and configure as follows.

Attribute Value

Rule Name iOS

Identity Groups Any

Operating Systems Apple iOS All

Other Conditions

Results BYOD Cert Provisioning

5.3. Click Done then Save.

Task 3: Configure ISE Policies

In this task, you will configure the policy components for BYOD access.

6. Review Certificate Authentication Profile.

6.1. Navigate to Work Centers > BYOD> External Id Sources > Certificate Authentication Profiles. Edit the
Preloaded_Certificate_Profile profile.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 10 of 23

Note: The Common Name field will be used to determine the users′ identity.

7. Review Allowed Protocols.

A requirement of the authentication process will now be to authenticate endpoints using EAP-TLS instead of PEAP.
Ensure that the Allowed Protocols list accommodates the EAP-TLS protocol.

7.1. Navigate to Work Centers > BYOD> Policy Elements > Results > Authentication > Allowed Protocols.

7.2. In the right pane, click Default Network Access.

7.3. Verify that Allow EAP-TLS is selected.

7.4. Also check the Allow Authentication of expired certificates option then click OK to the warning on expired
certificates.

7.5. Observe that PEAP (using MS-CHAPv2) is already allowed. Click Save.

Note: The Allow Authentication of expired certificates sounds like it is a bad thing to do but think about this
newer feature of ISE. It will allow a users′ system (such as a CEO) who hasn′t been on the network for a long
period (meaning their certificate hasn′t had time to renew and is therefore expired) to continue to the
authorization policies. You can then create an authorization policy that only allows them access to renew their
cert or provide an error page (web page portal) to the user informing them to call the service desk.

Authorization Profile Configuration


8. Now create the authorization policies needed to enforce the BYOD provisioning process.

8.1. In the left pane, click Authorization Profiles.

8.2. Edit the NSP_Onboard profile and configure as follows.

Attribute Name Value

Name NSP_Onboard

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 11 of 23

Web Redirection Native Supplicant Provisioning

ACL: BYOD_PROVISIONING

Value: BYOD Portal (default)

8.3. Click Save.

8.4. Go back to Authorization Profiles and click Add then configure as follows.

Attribute Name Value

Name BYOD Access

Common Tasks

Airespace ACL Name BYOD_GUEST

8.5. Click Submit.

9. Associate the authorization profile that was just created with an authorization policy.

9.1. Navigate to Policy > Policy Sets > Wireless > Authorization Policy.

9.2. Edit the Employee_Onboarding rule and configure as follows.

Attribute Value

Status Enable

Rule Name BYOD Provisioning

Conditions (identity groups and if Any


other conditions)

and EAP-MSCHAPv2 AND GKLABS:ExternalGroups NOT_EQUALS


gklabs.com/Users/Domain Computers

Permissions NSP_Onboard (delete the BYOD SGT)

9.3. Click Done then edit the Employee_EAP-TLS rule and configure as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 12 of 23

Attribute Value

Status Enable

Rule Name BYOD Access

Conditions (identity groups and other conditions) if Any

and BYOD_is_Registered AND EAP-TLS AND MAC_in_SAN

Permissions BYOD Access (delete the BYOD SGT)

9.4. Scroll down and click Save.

Task 4: Verify the WLC

In this task, you will verify the access lists on the WLC needed to support BYOD.

10. Verify the WLC access lists to support BYOD.

10.1. In Firefox, open a new tab and use the vWLC bookmark to log in to the WLC as admin/admin$Pwd.

10.2. Navigate to Security > Access Control Lists > Access Control Lists.

10.3. Verify the BYOD_PROVISIONING ACL looks as follows.

10.4. Click < Back and verify the BYOD_GUEST ACL looks as follows.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 13 of 23

11. The final piece of the WLC configuration may not be apparent at first but it is a step that is commonly
misunderstood. On iOS devices you have probably experienced what is known as the pseudo browser. It is the
browser that appears when you immediately connect to a network that contains a web portal. This pseudo
browser is not a standard browser and BYOD users will experience a browser error if not suppressed. The
following command is a CLI-only command that requires a reboot. Also note that after the reboot, the pseudo
browser will not appear, requiring any BYOD user to launch Safari from their device in order to view the captive
portal. This command has already been configured on your pod WLC, and is shown below for reference only.

Caution: COMMANDS ARE ALREADY ENTERED. DO NOT ENTER AGAIN.

(Cisco Controller) > Config network web-auth captive-bypass enable


(Cisco Controller) > Save config
(Cisco Controller) > reset system

Caution: COMMANDS ARE ALREADY ENTERED. DO NOT ENTER AGAIN.

Task 5: Register the Employee iPad

In this task, you will use the iPad to connect to the secure WiFi network. At first, you will log in using the PEAP
authentication protocol and AD credentials. Then, after supplicant and certificate provisioning, the iPad will be
reconnected to the same WiFi using EAP-TLS.

12. Clean Endpoints from previous labs.

12.1. Access your pod iPad. If necessary, directions can be found in the lab guide module titled iPad Access.

12.2. On the iPad, navigate to Settings > General > Network > Wi-Fi.

12.3. Disable the WIFI.

12.4. In the ISE GUI, navigate to Context Visibility > Endpoints.

12.5. Select the Apple – iPad MAC address (look for Apple-iPad under Endpoint Profile) and then delete it using
the toolbar. Confirm Yes to delete.

12.6. On the WLC, navigate to Monitor > Clients. Find the entry for the iPad and scroll to the right and remove it.

13. On your Admin-PC, access your iPad once again.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 14 of 23

13.1. Navigate using your mouse to Settings> General > Network > Wi-Fi.

13.2. Re-enable the WiFi.

13.3. Locate and double-click the GK-XX network (replace XX with your pod #).

13.4. When prompted for credentials, enter it1/gklabs and click Join.

13.5. You will want to slow down through the following process in order to process all of the details that are
being provided on the iPad. Click Accept to the certificate pop-up.

Note: Every PSN that you connect to will present a certificate. For instance, you accepted this cert at this point
for the primary ise node. If this node fails and you connect to the secondary ISE node, another pop-up will
appear. Think about this for production environments and seamless failover. It makes good sense to use a
wildcard certificate as you have configured in an earlier lab.

14. Now you will need to launch Safari. In order to do this using the VNC, you will need to right-click anywhere in the
iPad.

14.1. Scroll down the Home page and launch Safari.

14.2. In Safari, either click one of the preconfigured links or browse to any web site. You should be redirected to
the PSN.

Note: You may have to try a couple of different URLs before redirect will kick in.

14.3. Next, the BYOD portal will appear. This is normally where an error would appear if you didn′t make that
change to the captive-portal bypass stating that the browser was unsupported. Click Start.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 15 of 23

14.4. On the page that appears, enter My iPad in the Device Name field and click Continue.

14.5. On the next page, click the Launch Apple Profile and Certificate Installers Now button.

14.6. You will be asked to install the SISE lab Root CA cert. Click Install, then Install, then Install again on the
following pop-up, and then Done after the certificate has been installed.

14.7. On the Profile Service screen, also click Install, then Install; the Enrollment process should run and
complete.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 16 of 23

14.8. The final screen will show that the profile has been installed successfully. The name of the profile matches
the name for the NSP profile that you created earlier in the lab. Click Done when finished.

14.9. Verify that you are still connected to GK-XX on the iPAD. If not, reconnect.

15. Verify Cisco ISE Admin Portal.

15.1. Return to the Cisco ISE Admin Portal on the Admin-PC and navigate to Operations > RADIUS > Live Logs
and observe the authentication records.

Note: 1. Initial session being redirected to the onboarding portal


2. Final state of iPad onboarded and receiving BYOD access

15.2. Click the Details icon for the record that was assigned the Authorization Profile BYOD Access.

15.3. Observe the Overview section and notice the indicated sections below.

15.4. Examine the Steps section (on the right) and, towards the bottom, observe the 15048 messages indicating
Registered Endpoint, EAP authentication, and the Subject Alternative Name and the MAC address as the
Radius.Calling-Station-ID.

15.5. On the left-side of the screen, you will see that the authentication protocol used is EAP-TLS, confirming
that you are now using certificates to authenticate the endpoint.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 17 of 23

15.6. Close this tab and return to the Cisco ISE admin portal.

15.7. Navigate to Context Visibility > Endpoints.

15.8. Find the iPads MAC, select it, and click the Edit button.

15.9. Verify that the iPad is now a member of the RegisteredDevices ID Group.

15.10. Expand Other Attributes and scroll down to the certificate subject attribute lines. Observe the certificate
details paying particular attention to the Subject Alternative Name values. Remember that you are
matching this SAN field with the endpoints actual MAC address (Calling-Station-ID).

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 18 of 23

15.11. Click Cancel after examining the attributes.

Verify Profile Settings on the iPad


16. On the iPad, navigate to Settings > General > Profiles.

16.1. You should see two profiles on the iPad.

16.2. Expand the BYOD_CERT_PROVISIONING and then click More Details.

Note: All the certificates have been issued. Selectively view a few of the entries. Your output may differ.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 19 of 23

Task 6: Work with My Device Portal

In this task, you will perform the steps to mark a device lost and the stolen. You will examine Cisco ISE to see how
the endpoint is processed for each of these conditions.

17. Update the Blacklist Portal Certificate Tag Group.

17.1. On the Admin-PC in ISE, navigate to Administration> Device Portal Management > Blacklist.

17.2. Edit the Blacklist portal (default) and in Portal Settings, change the Certificate group tag to GKLABS GT.

17.3. Scroll up and click Save and then Close.

18. Update the Blacklist Authorization profile.

18.1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.

18.2. Edit the Blackhole_Wireless_Access profile.

18.3. Scroll down and change the url-redirect-acl from BLACKHOLE to BLACKLIST. (Simply overtype the current
entry.)

18.4. Click Save.

19. Mark a Device as lost.

19.1. On the Admin-PC, open a new tab in Firefox and use the bookmark My Devices Portal or browse to
https://mydevices.gklabs.com.

19.2. Log in with the credentials it1/gklabs, check I agree to the terms and conditions, and then click Sign On.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 20 of 23

19.3. Click Continue.

19.4. Observe that the status of the iPad is either Pending or Registered.

19.5. Manage the device by clicking the record.

19.6. Click the Lost button.

19.7. Click Yes to acknowledge that you want to mark the device as lost.

19.8. Observe that the status is now Lost.

20. Verify lost access.

20.1. On the iPad, make sure that you are connected to GK-XX.

20.2. In ISE, navigate to Live Logs.

Note: You should already observe an authentication success for the student iPad that has the resulting
Blackhole_Wireless authorization profile result. Cisco ISE issued a CoA when the device was marked lost. The
device automatically re-authenticated as it normally would and matched the Wireless Black List Default
Authorization Policy.

20.3. In ISE, click Home.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 21 of 23

20.4. Click BYOD Endpoints to reveal another way to view endpoint information.

20.5. Edit the iPad MAC address and observe that it is now a member of the Blacklist ID group.

20.6. Click Cancel when done viewing.

21. Un-Blacklist the device.

21.1. On the Admin-PC, access the previously opened My Devices Portal tab.

21.2. If necessary, log in with the credentials it1/gklabs, check I agree to the terms and conditions, and then
click Sign On.

21.3. Manage the device by clicking the record.

21.4. Click the Reinstate button.

21.5. Click Yes to acknowledge that you want to reinstate the device.

21.6. The Device status will no longer show Lost.

22. Verify access capability.

22.1. On the iPad, make sure that you are connected to GK-XX.

22.2. In ISE, navigate to Live Logs.

Note: Once again, ISE has already issued a CoA when the device was marked as reinstated. Guest access should
now be restored.

23. Blacklist a Stolen Device.

In this task, you will mark a device as stolen and observe the endpoint and certificate status. You will then
reinstate and re-onboard the device. You will not go through the process of testing access while marked as stolen
in the interest of time.

23.1. Return to the My Device Portal.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 22 of 23

23.2. Log in with the credentials it1/gklabs, check I agree to the T and C, and then click Sign on.

23.3. Manage the device by clicking the record.

23.4. Click the Stolen button.

23.5. Click Yes to acknowledge that you want to report the device as stolen; the status should change to Stolen.

24. Examine Endpoint Status and Record.

24.1. On the iPad, attempt to connect to GK-XX; this will fail.

24.2. In ISE, navigate to Live Logs; you should see the denied access record for the iPad.

24.3. Click the Authentication Detail section and note the following fields indicating the certificate has been
revoked.

24.4. Return to ISE and navigate to Administration> System > Certificates > Certificate Management > Endpoint
Certificates.

24.5. In the list of certificates, notice that the status is now Revoked for the iPad certificate. (You will need to
scroll to the far right to see Status.)

24.6. Using Context Visibility > Endpoints, find the iPad and verify that it is once again a member of the Blacklist
ID Group.

25. Reinstate the device.

25.1. Notice in the toolbar that there is no option to reinstate or un-revoke the certificate, then return to the My
Devices Portal.

25.2. Log in with the credentials it1/gklabs, check I agree to the T and C, and then click Sign on.

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017
Page 23 of 23

25.3. Click Continue.

25.4. Manage the device by clicking the record.

25.5. Click the Reinstate button.

25.6. Click yes to the pop-up; the status is now Not Registered.

26. Re-onboard the device.

26.1. Return to your iPad and select your GK-XX SSID; you should notice that it is not possible to join the GK
WLAN.

26.2. In the iPad, navigate to Settings > General > Profiles and delete the two profiles found there by choosing
Delete Profile and then Delete.

26.3. Return to the Wi-Fi list and attempt to join GKLABS-XX. This should succeed prompting you for credentials.

26.4. Enter it1/gklabs.

26.5. Accept the certificate.

26.6. Open Safari and browse to cisco.com.

26.7. You should be redirected to the BYOD portal to begin the process of onboarding again.

26.8. Go through the process of onboarding as before. Reference the previous lab steps, if necessary.

26.9. Once complete, make sure you are connected to the GK-XX SSID and then proceed to cisco.com to verify
network access.

26.10. Return to the ISE GUI and navigate to Live Logs.

26.11. The iPad should have been applied to the BYOD Access Authorization profile. To the right of the device
should also be the identity group RegisteredDevices.

Lab Complete

https://www.remotelabs.com/ldhtm/Gb/cisco/3972/3972_L12.htm 20/09/2017

You might also like