cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1331
Views
1
Helpful
13
Replies
Highlighted
Beginner

ISE 2.1 Linux BYOD Client provisioning

Hi

Please assist where to I get the client provisioning for Linux machines? I am unable to download direct from ISE. Or please assist on the configuration of this. I get device not supported on the BYOD flow.

Regards

Chris

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

There is no posture compliance (anyconnect system scan) or BYOD flow support for linux devices.

For EAP-TLS cert auth to ISE

In ISE you can use our certificate provisioning portal to generate endpoint certificate for linux and can manually install it. There is API that can help automate as well

13 REPLIES 13
Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

There is no posture compliance (anyconnect system scan) or BYOD flow support for linux devices.

For EAP-TLS cert auth to ISE

In ISE you can use our certificate provisioning portal to generate endpoint certificate for linux and can manually install it. There is API that can help automate as well

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

Thanks

But the solution is for wired so I need a way to profile the device as linux and then get the user to login via CWA bypass client provision to match AD group and provide rights as per AD group. Any way in doing this?

Regards

Chris

Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

Certainly you can profile and send them to a CWA portal. However there is a chicken egg thing going on here.. If it’s a new device, unless you specify a list of mac addresses of your linux machines then we need to hit a portal to find out if it is a linux machine.

Can you explain further what you would like to do?

Step by step what is supposed to happen with the following when they first connect

linux devices

windows/apple mac

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

My question here is if I enable under the Profiler Policy List > workstation (dell, hp and so on) NMAP what kind CPU will this add if this is enabled? Running ISE 2.1

Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

This wouldn’t work because you’re trying to profile as linux workstation. What good would it do you to identify the type of Physical workstation they are using? Does a specific type of physical workstation (example HP) only run linux?? Are you running linux on multiple different type of hardware?

If these are company owned linux then you might need to somehow identify

I would suggest you learn about profiling here - https://communities.cisco.com/docs/DOC-68156

Please explain the flows you are wanting to support from the wired switch

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

Catch all rule CWA need to be able to login with Linux machine no client provision enabled for Linux only possible or not?

Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

There is this setting

Screen Shot 2017-10-09 at 2.30.57 PM.png

There is no way to call this out in client provisioning policy.

Screen Shot 2017-10-09 at 2.23.46 PM.png


Its still not clear on your flows.. How do you want to handle other OS. Are you doing BYOD certificate provisioning or posture.. etc

You might want to call the TAC and explain this to have a detailed conversation. Or request through your sales channel to discuss with an ISE expert. From this thread you are not providing enough context on what you're wanting to do.

You could possibly do this:

if wired_mab and windows/mac and using certificate then permitWindowsMACaccess

if wired_mab and linux then PermitLinuxAccess

if wired_mab and windows/mac then BYOD

if wired_mab then redirect to CWA (when they hit the portal they will be profiled)

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

Hi Jason

See below. Network setup assistant pushed below settings with Public ROOT CA from ISE. No EAP-TLS is used in this deployment.

You have let say 10000 clients which some of them are domain user but private machines.

Only domain machines are postured checked with any connect clients and posture agent. Working on all windows machines. EAP Chain result machine and user authenticated.

Rest of machines are BYOD machines. Above native supplicant profile is used and send to Windows and MAC OX users. Tested working. User can be identified as staff or non staff and authorization profiles with rights enforced.

Now you have users how have their own machines with Linux. For them to access corparate resource you need to identify them. You send them to a portal to login (catch all mab CWA rule ) to capture their details, from here device not supported displayed on the BYOD for linux machines. The question here is how do you allow these machines on the network without any user interaction or little and how do you identify the user for this machine.

Settings already enabled as per your screen shot.

Hope this information helps or if still unclear I can add more if you need.

Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

Would recommend working through TAC to debug, please update with the solution

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

Hi Jason

What I am currently doing is the following. MAB rule with CWA then user login with AD credential to get the machine profiled as linux. I have set the Native supplicant provisioning policy Unavailable " Allow Network Access" under the Administration settings to get passed the client provision issue for Linux device not support is that is now displayed but network access is allowed. With the COA user now falls in the Wired_BYOD_Devices and combined with Authorization rules to match Linux and Wired_BYOD_Devices user is then redirected to Guest Portal with no BYOD flow. When user then authenticated against AD correct access is allocated with a DACL. This only happens once with the redirect to 2 different Portals.

MAB with CWA Guest Portal flow with BYOD

The other issue I am now faces with is below when a guest logs in.

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data
Cisco Employee

Re: ISE 2.1 Linux BYOD Client provisioning

please work through the tac sorry

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning

Beginner

Re: ISE 2.1 Linux BYOD Client provisioning