topic Re: Ask the Expert: BYOD with Identity Services Engine in Network Access Control

Ask the Expert: BYOD with Identity Services Engine

ciscomoderator — Mon, 11 Mar 2019 03:35:56 GMT

with Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

Re: Ask the Expert: BYOD with Identity Services Engine

huangedmc — Mon, 01 Jul 2013 06:53:49 GMT

hello Bernardo,

Could you please tell me the minimal version of Mac OSX that's supported for auto-provisioning / client onboarding?

We're running ISE 1.1.3, and were able to onboard Windows 7, Apple iOS, and Android devices, but not a MacBook in our tests.

The MacBook was quite old, so we'll find another Mac OSX device to test, but wanted to know what the minimal requirement is.

===

Also, we followed a Cisco BYOD guide to do onboarding for Android devices, by allowing tcp & udp ports 5228, 8889, and 8880 to Google subnets in the WLC re-direct ACL.

However, we found that's not enough, and had to also allow tcp 80 & 443, otherwise client Android deivce would not be able to connect to Google Play & download the Cisco network setup assistant.

This creates confusion for the end users, because they wouldn't get redirected when they browse to google.com, until they hit a non-Google URL.

Is there any way around this caveat?

I know it's not Cisco's fault that ports 80 & 443 are required for Google Play to work, but was just wondering if anyone's found a good way to work around this.

===

Because of the Android Google Play caveat above, we tried to use a different redirect ACL on WLC, just for Android devices, so that all the non-Android users would be redirected when they browse to google.com, as an attempt to cut down confusion (by not having permits to Google subnets in the RACL).

Unfortunately it's not working.

When Android users connect, WLC realizes it's supposed to use a different ACL called "ACL-REDIRECT-GOOGLE".

I can see it when I click into the client details on the WLC.

However, the ACL hitcount remains zero.

If you happen to know what's causing this issue on top your head because you've seen it before, please let me know.

Otherwise we can just open a TAC case, since it'll probably require some sort of debugging, which is hard to do through a NetPro forum.

===

thanks!

Kevin

Ask the Expert: BYOD with Identity Services Engine

Amjad Abdullah — Mon, 01 Jul 2013 07:57:50 GMT

Hello Bernardo,

How are you? Hope everything is OK.

As a new guy that wants to start using and configuring ISE, is there anything like "quick start guide" for configuration?
Or basic configuration examples?

I am aware that there is a user guide but from my experience it is not handy when you want quick hints only.

If there is something like config examples for the basic and most common scenarios that will be more useful and more time-saving.

Regrards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Mon, 01 Jul 2013 10:07:58 GMT

Hello Kevin,

What Mac OS version were you running? It should be supported from Mac OS X 10.4:

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp269183

I've also found information that it's supported from 10.5.2 only (perhaps only applicable to Agent 4.9.x versions).

Regarding the Google play issues, the recommendation is to allow traffic to the IP addresses of the google play stores. You can verify your regional IP addresses with nslookup play.google.com. This will not interfere with the google page.

Regarding the ACL, if you do see it applied correctly on the WLC but there aren't any hits, the best is indeed to open a TAC case for the WLC.

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

salilai01 — Mon, 01 Jul 2013 15:50:58 GMT

Hi Bernardo,

I'm very glad to know that I can ask all my questions to an expert in the ISE domain.

For this topic, I have to make a matrix comparative between ISE on vmware and ISE on physical appliance, could you help me to present it as simple possible? my problem is that I don't have enough points of comparison

Thanks in advance

Ask the Expert: BYOD with Identity Services Engine

descalante2007 — Mon, 01 Jul 2013 18:22:22 GMT

Hello Bernardo:

I have a couple of issues related to Guest Sponsor and Guest Activity

1) I already have the ISE communicating with the AD successfully. I also had modified the AuthC rules to validate that only my customer employees have access to the SPONSOR Portal. But the customer is worried about AD security; I understand LDAP is not secure so the option is to use LDAPS, but the customer does not like to provide us with the Certificate Root Certificate ... So the questions are, How dangerous can be the ISE vs AD connection? Is it really unsecure? What other options we may have?

2) The same customer likes to get guest activity reports (actually I just waiting to be allowed to access the ASA). The ISE is a 3315 model; I had read the manual indicating that automatic backups are done when the disk space reach 80% (default) and only last 90 days (default) are keeped on the system. The questions are about how apply this parameters in this model ... I mean 80% of 500 GB (factory HD) or 80% from something else ...

On the other hand could it be possible to set the ASA send syslog messages somewhere different to ISE and then the ISE retrieve the data to generate the guest activity report?

Regards.

Ask the Expert: BYOD with Identity Services Engine

Rasika Nayanajith — Tue, 02 Jul 2013 08:17:17 GMT

What are the main additional features of ISE 1.2 compare to the current version & when it is expect to release ?

Rasika

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Tue, 02 Jul 2013 08:50:07 GMT

Hello Amjad,

ISE is quite a complex product and I'm not aware of any quick start guide for it. Are you looking for information in any particular subject?

There are a few example configuration guides for specific scenarios here, does this help?

http://www.cisco.com/en/US/products/ps11640/prod_configuration_examples_list.html

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Tue, 02 Jul 2013 16:45:52 GMT

Hello,

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

2) The backups are triggered when the MNT node's disk is 80% full.

ISE will not actively fetch the data for the guest activity report, the ASA must be configured to send the syslogs to ISE directly.

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Tue, 02 Jul 2013 17:01:52 GMT

Hi Rasika,

In short, there will be many enhancements to existing features, such as:

- Guest and Sponsor pages

- Reports and Alarms

- Live authentications page

- NAC Agent

- Performance and scalability

Some new things are also being added, for example:

- Interoperability with MDM

- MAB from non-Cisco switches

- Wildcard certificates support

- Support for Windows AD 2012

Were you looking for any particular enhancements?

I recommend going through the release notes once the release is available, for more information and an extensive list.

There is no clear release date yet, but it's expected to be available towards the end of the month/beginning of August. However, keep in mind it may be subject to delays depending on the dev test results.

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

descalante2007 — Tue, 02 Jul 2013 17:14:29 GMT

Thanks for your reply

you said:

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

The question is how is the traffic between ISE and DC protected? The customer request us to use LDAPS because they know the communication with AD is usually in clear text using LDAP ... is it right?

Best regards

Daniel

Re: Ask the Expert: BYOD with Identity Services Engine

Octavian Szolga — Tue, 02 Jul 2013 17:41:16 GMT

Hello Bernardo,

Can you please detail how can one configure posture for remote access users using iPEP and an ASA that is providing RA VPN services, internet connectivity for internal users and resource publishing by using DMZ?

I'm asking this in the context in which the ASA has to send the traffic from RA VPN pool to inside network and only this traffic by the means of iPEP, and ASA does not support Policy Based Routing so that the routing decision to be made using the source IP address.

Any thoughts/ideas? Is there any Cisco tehnical support team /portal for cases like this one?

I've also wrote a fairly long post about this problem, but nobody had the pleasure or willing to answer.

(https://supportforums.cisco.com/thread/2224538)

Ask the Expert: BYOD with Identity Services Engine

Amjad Abdullah — Wed, 03 Jul 2013 10:44:52 GMT

Thank you Bernardo,

Thank you for the config examples link.

I understand that ISE is a complex product and is not really easy. But I was thinking if there is a guide or something for those people coming from ACS 5.x perspective.

The config examples are really helpful if followed to make one understand the configuration procedures.

Thank you.

Amjad

Rating useful replies is more useful than saying "Thank you"

Ask the Expert: BYOD with Identity Services Engine

radu.ioncu — Wed, 03 Jul 2013 10:58:27 GMT

Hello Bernardo,

I am having issues with the Cisco NAC Agent popping up in my current ISE deployment. ISE version is 1.1.3 patch 2, and the deployed NAC agent version is 4.9.0.51.

The Cisco NAC agent has no problem popping - no preconfigured XML file - up with PC's connected via both Wi-Fi (WLC 4400) and wired (CAT4500 15.0.2 - SGA6) on VLANs with DHCP turned on. When I connect the PC - wired - to a VLAN with no DHCP server configured and with a static IP address, the NAC Agent does not pop up, and the PC is stuck in the Posture_Discovery_AuthZ phase.

This happens on the same switch, on the same port with the same configuration - the only difference being the VLAN swap (works with DHCP VLAN, doesn't work with STATIC IP VLAN).

Are there any known caveats for NAC Agent popping up with PC's with Static IP's set?

Thanks!

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Wed, 03 Jul 2013 16:23:07 GMT

Hello Radu,

I'm not aware of any caveats for NAC Agent with static IP address.

When the Agent starts, it tries to discover the policy node like like this:

1. HTTP discovery probe on port 80 to discovery host, if one is configured.

2. HTTPS discovery probe on port 8905 to the discovery host, if one is configured.

3. HTTP discovery probe on port 80 to default gateway.

4. HTTPS reconnect probe on 8905 to previously contacted ISE policy node.

5. Repeat from 1.

As you don't have a discovery host configured, the first 2 steps are skipped. Then, the Agent should send the HTTP discovery probe on port 80 to the default gateway. This request should be redirected by the switch, with the redirect URL it receives from ISE.

I suggest checking:

- client default gateway configuration

- that the switch interface is getting the redirect URL

- that the ACL redirects the HTTP traffic towards the ISE

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Eduardo Aliaga — Thu, 04 Jul 2013 06:55:29 GMT

Hello Bernardo

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Best regards

Ask the Expert: BYOD with Identity Services Engine

radu.ioncu — Thu, 04 Jul 2013 07:11:45 GMT

Hi Bernardo,

Thank you for the quick reply. After your answer, we realized that the issue wasn't related to DHCP, it was most likely a PC issue.

During the NAC Agent implementation, I have observed several cases of the NAC Agent not popping up, even though network configuration is OK (I always test with no Discovery Host configuration enabled - or I delete the .xml file). I have not been able to pinpoint the exact cause, though sometimes the NAC Agent does pop up if I restart PC's with the Ethernet cable connected.

We have also seen problems with users going from Wired to Wi-Fi and ending up stuck in Posture_Discovery phase. Do you have any insight into this issue, and why it seems to happen on a random basis? Would a NAC Agent update help with this issue? (currently running 4.9.0.51).

Thank you!

Ask the Expert: BYOD with Identity Services Engine

S M85 — Thu, 04 Jul 2013 10:56:05 GMT

I would like to know if NIC bonding is on the road map of ISE?

Re: Ask the Expert: BYOD with Identity Services Engine

S M85 — Thu, 04 Jul 2013 11:00:18 GMT

My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)

	administration	monitoring	policy service
Machine VM	primary	Not enabled	enabled
Machine HW	secondary	primary	enabled

Ask the Expert: BYOD with Identity Services Engine

Bernardo Gaspar — Fri, 05 Jul 2013 05:48:59 GMT

Hello Sander,

To the best of my knowledge, it's not on the roadmap yet. I'd advise to get in touch with your local Cisco account/sales team and ask for an enhancement.

Thank you and best regards,

Bernardo