topic Re: ISE BYOD Migration Question in Network Access Control

ISE BYOD Migration Question

gsheppar — Mon, 22 Feb 2016 15:40:45 GMT

Hey Guys,

Customer is building a new fresh ISE 2.0 (previous ISE 1.3) environment and are curious how BYOD clients will handle this migration. The new ISE environment will be fresh (new certs/config/IP's) but will connect to the same internal PKI/AD infrastructure. I would assume the only issue for BYOD clients would be the need to trust the new PSNs when they hit them since they have not seen that certificate before. Any other foreseen issues for these BYOD clients?

Re: ISE BYOD Migration Question

Timothy Abbott — Mon, 22 Feb 2016 16:22:52 GMT

Shouldn't be an issue if you're using public certs for portals and as you've already called out, some clients will require the user to trust the new PSN the first time they see it. Other than that, shouldn't be an issue.

Regards,

-Tim

Re: ISE BYOD Migration Question

hslai — Mon, 22 Feb 2016 16:24:28 GMT

If the customer is using ISE internal CA, added in ISE 1.3, then we would need to export the Internal CA store from the old ISE 1.3 primary PAN and later import it to the new 2.0 deployment. ISE admin CLI "application configure ise", option 7 for export and option 8 for import.

If the EAP certificates of the new and old PSNs are signed by the same CA chain, authentications should continue to work.

If the customer also uses certificate renewal and has different admin certificates for the new and old PSNs, Apple iOS endpoints need remove the existing configuration profile manually and go through BYOD again during the renewal.

Re: ISE BYOD Migration Question

gsheppar — Mon, 22 Feb 2016 17:35:12 GMT

Thanks Tim. Customer is using Public certificates for the portals but internal CA for the EAP authentication so from the sounds of it should be good.

Re: ISE BYOD Migration Question

gsheppar — Mon, 22 Feb 2016 17:37:25 GMT

hslai can you elaborate on your last point? The admin certificates will be new and customer does have rules for certificate redirect to portal for expiring certificates. They are using their Microsoft CAs and not the internal ISE CA for handing out certificates.

Re: ISE BYOD Migration Question

hslai — Tue, 23 Feb 2016 00:04:39 GMT

Apple iOS devices do not allow installing another configuration profile with the same name if the payload is changed. The configuration profile on Apple iOS devices is signed by the admin certificate of ISE PSN, which authenticated and performed the BYOD, so that this admin certificate is part of the payload.

The workaround is to use a single wild-card of UCC certificate for all ISE PSNs for the same set of network devices.

Re: ISE BYOD Migration Question

gsheppar — Tue, 23 Feb 2016 00:24:18 GMT

Thanks so if I understand this correctly since this is a fresh environment will all new PSNs/Certificates only two options would be to delete old profile and re-enroll or change profile name. This will only affect them when they come to renew the certificate for Apple iOS devices correct?

Re: ISE BYOD Migration Question

hslai — Tue, 23 Feb 2016 00:36:14 GMT

That is about it.

As I recalled, ok to have two configuration profiles named differently but with the same Wi-Fi network ID. I've not recently tested it because we have been using the same name.

Re: ISE BYOD Migration Question

gsheppar — Tue, 23 Feb 2016 00:43:03 GMT

Thanks!!! I guess my only concern would be how iOS would prioritize profiles. If it kept trying to use the old profile ISE would redirect to client to the BYOD provisioning portal. Guess only option is really to delete that old profile. Interesting I have not seen this caveat called out in any documentation.

Re: ISE BYOD Migration Question

gsheppar — Tue, 23 Feb 2016 00:45:17 GMT

Found it. Thanks guys for all the help!!!

Cisco Identity Services Engine Administrator Guide, Release 1.3 - Manage Certificates [Cisco Identity Services Engine] …

Re: ISE BYOD Migration Question

gsheppar — Thu, 25 Feb 2016 17:21:05 GMT

Hey guys one last question. Any way to migrate the registered endpoints? I don't think this has any effect on users authenticating since we are just checking the cert but obviously without it they would have no way to list a device as lost.

Re: ISE BYOD Migration Question

hslai — Thu, 25 Feb 2016 21:20:59 GMT

For endpoint group static assignments, we may use CSV export of endpoints from ISE 1.3 and then import to ISE 2.0.

If needing portalUser, then use ISE endpoint API from ISE ERS. The on-line doc @ https://<ISE-PPAN-IP-or-FQDN>:9060/ers/sdk will have more info, once ERS is enabled.