Ads

ISE Configuration – BYOD setup

Marc_D
In Today's Blog, lets discuss about the configuration steps need to be done in order to configure the BYOD setup on ISE

1.     Administration>Identity Management>Identity Source Sequences and edit the MyDevices_Portal_Sequence. In this policy, add the AD server in the Selected column and make sure it is on the top of the list

2.     Edit the Guest_Portal_Sequence and add the AD server to the top of the Selected column

3.     Administration>Device Portal Management>My Devices and edit My Devices Portal (default).

4.     Portal Settings page, make sure that to choose MyDevices_Portal_Sequence from the Authentication method drop-down

5.     Navigate to Policy>Policy Elements>Results>Client Provisioning>Resources and click Add>Native Supplicant Profile

6.     Name - MOBILE-TLS

7.     Under Wireless Profiles, click Add:
- SSID Name - EmployeeSSID
- Security - WPA2 Enterprise
- Allowed Protocol- TLS
- Certificate Template – BYOD

8.     Navigate to Policy>Client Provisioning

9.     Change the IOS and Android policy Results to MOBILE-TLS

10.  Go back to the WLC and navigate to Security>Access Control Lists>Access Control Lists and create the following ACLs

11.  Add for ios – NSP-ACL

a.     Permit – Source = Any – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound

b.     Permit – Source = Any – Destination = Any – Protocol = ICMP – Sourceport = Any – Destport = Any – Direc = Inbound

c.      Permit – Source = Any – Destination = ISE/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound

d.     Permit – Source = Any – Destination = Any– Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound

e.     Permit– Source = Any – Destination = Any– Protocol = UDP – Sourceport = Any – Destport = DHCPServer – Direc = Inbound

f.       Deny– Source = Any – Destination = internalSubnets– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound

g.     Permit – Source = Any – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

 

12.  Add for Blackhole - BLACKHOLE

a.     Permit – Source = Any – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Outbound

b.     Permit – Source = Any – Destination = Any – Protocol = ICMP – Sourceport = Any – Destport = Any – Direc = Inbound

c.      Permit – Source = Any – Destination = ISE/32 – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound

d.     Permit – Source = Any – Destination = Any– Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Inbound

e.     Deny - Source = Any – Destination = Any– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

13.   Add for Android – NSP-ACL-GOOGLE

a.     Permit – Source = Any – Destination = Any – Protocol = UDP – Sourceport = DHCPclient – Destport = DHCPserver – Direc = Inbound

b.     Permit – Source = Any – Destination = ISE – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

c.      Permit – Source = ISE – Destination = Any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = Any

d.     Deny – Source = AD/DNS – Destination = Any– Protocol = UDP – Sourceport = DNS – Destport = Any – Direc = Any

e.     Permit - Source = Any – Destination = AD/DNS– Protocol = UDP – Sourceport = Any – Destport = DNS – Direc = Any

f.       Deny - Source = Any – Destination = 171.71.181.0/24– Protocol = Any – Sourceport = Any – Destport = Any – Direc = Inbound

g.     Permit – Source = Any – Destination = internalsubnets – Protocol = Any – Sourceport = Any – Destport = Any – Direc = inbound

h.     Permit – Source = Any – Destination = any – Protocol = Any – Sourceport = Any – Destport = Any – Direc = any

14.  Policy>Policy Elements>Results>Authorization>Downloadable ACLs and create the following ACL

15.  Name: BLACKHOLE
ACL:
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit ip any host “ISE”
deny ip any any

16.  Policy>Policy Elements>Results>Authorization>Authorization Profiles and create the following profiles

17.  Name: BLACKHOLE
- Check ACL and choose BLACKHOLE from the drop-down
- Check Airespace ACL Name and type in BLACKHOLE
Note: For extra security, you can also create a blackhole VLAN and add it to this authorization profile

18.  Name: BYOD-SUPP
- Check the box for Web Redirection and from the drop-down, choose Native Supplicant Provisioning. In the ACL section, type in ISE-ONLY. In the Value field, choose BYOD Portal (default)

19.  Name: BYOD-SUPP-ANDROID
- Check the box for Web Redirection and from the drop-down choose Native Supplicant Provisioning. In the ACL section, type NSP-ACL-GOOGLE. In the Value field, choose BYOD Portal (default)

20.  Policy>Policy Elements>Conditions>Authorization>Compound Conditions and create the following conditions

21.  Name: BYOD-SUPP
Conditions:
Network Access:EapAuthentication equals EAP-MSCHAPv2
AD1:ExternalGroups equals BYOD-User <- select individuals to be able to utilize BYOD which is why I'm specifying a different group than Domain Users if necessary

22.  Name: ANDROID-BYOD-SUPP
Conditions:
Network Access:EapAuthentication equals EAP-MSCHAPv2
AD1:ExternalGroups equals BYOD-User
Session:Device-OS equals Android

23.  Name: BYOD-REG
Conditions:
NetworkAccess:EapAuthentication equals EAP-TLS
Endpoints:BYODRegistration equals Yes

24.  Policy>Policy Sets and edit the WirelessDot1x existing policy

25.  Under the Authorization Policy, add the following rule on the top of all other rules:

26.  Rule Name: Wireless-Blacklist
If: Blacklist <- Default logical group that should exist in ISE already
Then: BLACKHOLE

27.  Create the following rules under Vendor-Access rule in the following order

28.  Rule Name: Android BYOD-Supplicant
If: Leave at Any
Condition(s): Wireless_802.1X and ANDROID-BYOD-SUPP
Then: BYOD-SUPP-ANDROID

29.  Rule Name: BYOD-Supplicant
If: Leave at Any
Condition(s): Wireless_802.1X and BYOD-SUPP
Then: BYOD-SUPP

30.  Rule Name: BYOD-REG
If: Leave at Any
Condition(s): Wireless_802.1X and BYOD-REG
Then: EMPLOYEE-ACCESS

31.  Go make sure the default rule is at DenyAccess

32.  Policy > Policy Sets and click on the existing Wired Dot1x policy

33.  Add a new Authorization Policy right below the Non Compliant Employee Access rule

a.     Name = BYOD access

b.     Conditions = existing condition equals BYOD_is_Registered

c.      Then = permission equals EMPLOYEE-ACCESS

34.  Add a new Authorization Policy below BYOD access

a.     Name = BYOD Redirect

b.     Conditions = CWA:CWA_ExternalGroups EQUALS “Windows Domain group that allows BYOD”

c.      Then = NSP_Onboard

35.  Policy > Client Provisioning – click on the Windows Rule “or” Windows_Posture_AMP (if doing posture) rule and for the Results

a.     Config Wizard = WinSPWizard 2.1.0.51 (or latest available)

b.     Wizard Profile = MOBILE-TLS

36.  Policy > Policy Elements > Client Provisioning > Resources and click on the MOBILE-TLS rule

a.     Click on the Wired Profile

b.     Allowed protocol – PEAP

c.      Authentication mode – User or Computer

 

 

To use the ISE internal CA for BYOD

1.     Navigate to Policy>Policy Elements>Results>Client Provisioning>Resources and click Add>Native Supplicant Profile

2.     Edit the MOBILE-TLS profile

3.     On the Wireless profile, change the certificate template to be the internal CA template – EAP_Authentication_Certificate_Template.

 

Tags: