Configuring ISE for BYOD Onboarding
Configuring ISE for Onboarding
Here we will see all list of configuration that is essential to learn Configuring BYOD in ISE.
Configure Native Supplicant Profile
NSP defines the network setting for endpoints that will go through onboarding. Native Supplicant profile defines the following:
- One or more wireless SSIDs
- EAP type to use (PEAP or EAP-TLS)
- Key size for certificates
- Level of wireless security
- If it applies to wired, wireless, or both
- Proxy configuration, if any
- Whether or not to connect to the SSID if not broadcasting
Beginning with ISE 2.0, NSP is preinstalled, below path will let you go to see the latest Client Provisioning resources from cisco site and you can then edit them to prebuilt native supplicant profile.
Work Centers | BYOD | Client Provisioning | Resources
If you want to download newer choose Add | Agent Resources from Cisco Site
Make sure to enable Proxy setting in ISE. Below is the list of all version of Clients, select any one of them to download and save.
On the resource screen, Select the Pre-Configured NSP Cisco-ISE-NSP | Edit.
It should have pre-configured wireless network SSID of ISE, below figure shows content of Cisco-ISE-NSP.
Select ISE and Edit, it will show you pre-configured wireless profile with SSID named ISE with WPA2 and TLS that leverages the EAP_Authentication_Certificate_Template and will connect even if the network is not broadcasting.
Verify Certificate Template
ESP-TLS is very common and when TLS is used, a certificate must be issued to endpoints. Certificate template provides information about certificate content, its strength, and CA information that has issued this certificate.
Verify default EAP_Authentication_Certificate_Template that is used in the default Cisco-ISE-NSP native supplicant profile.
Work Centers > BYOD > Portals & Components > Certificates > Certificate Templates | select EAP_Authentication_Certificate_Template | Edit
Here you will see, Certificate template is configured with following fields:
- Common name (CN) set to the $UserName$ variable. This is automatically substituted with the username of the employee performing the onboarding. organization (O) and organizational unit (OU)
- Subject Alternative Name (SAN) field. The drop-down box has only one choice, which is MAC Address; because this cannot be changed or removed
- Default template is configured to use RSA as the key type with default RSA key size is 2048, but that size can be changed to 1024 or 4096.
- SCEP RA Profile to configure which CA should be used to sign the certificates. The default configuration is to use the internal CA; if an external CA is configured in ISE, it will also be in the drop-down list
- Valid Period setting determines how long the certificate is “warranted” by the CA
- The default setting for Extended Key Usage (EKU) of an endpoint certificate is Client Authentication only
Verify Client Provisioning Policy
You need client Provisioning policy (CPP) in order to send NSP to clients. CPP instruct, which software and profile needs to be downloaded and installed based on OS of endpoints.
There is one CPP per OS using the preinstalled native supplicant wizards, native supplicant profiles, and certificate templates. To examine these preconfigured policies, navigate to Work Centers | BYOD | Client Provisioning
As an example, see how to very CPP for Apple iOS and then you can by your own verify CPP for Android.
- On rule name IOS , Click Edit at right end of the row
- Note , this rule can apply to specific user or endpoint identity groups, Specific OS and other conditions are configured in CPP
- Click on + on result column, here you will see Cisco-ISE-NSP profile is selected , due to which ISE BYOD portal uses the OTA provisioning process that is native to Apple iOS.
BYOD and WebAuth Portals
These portals represents client, when they login via Single SSID or Dual SSID. For Single SSID, BYOD portal is used, and for Dual SSID, WebAuth Portal is used.