Solved: MAC Users CWA & Provisioning

nadeekha · ‎09-13-2016

Hi Experts,

My customer has the following question regarding their Mac users CWA process:

Currently the Mac OS user are getting redirected to CWA page when the first time get on network because no supplicant and no certificate.

Management doesn't want that to happen. Instead, they want to give user a separate URL where users can download the certificate and configuration profile there through ISE.

So, the certificate and profile can be downloaded when the user is ready instead user being forced to do so.

Thanks in advance

Nadeem

Craig Hyps · ‎09-16-2016

Lots of good proposals here. Oddly sounds like customer wants to make process more complex than easier for their users where they separately download certs and profiles for manual application. If the user does not want to be provisioned, then why go to a provisioning WLAN in first place? Single SSID is also option where they log in using AD credentials and get provisioned with cert and EAP-TLS. AUP could be worded to read "Do you agree to get provisioned at this time?" If not accepted, then they do not proceed.

View solution in original post

hslai · ‎09-14-2016

Any reason not using ISE BYOD flow??

nadeekha · ‎09-14-2016

These Macbook’s are corporate assets and the existing flow is what they have configured. Would a BYOD flow provide them the solution that they are looking for and would that be ok to use for corp assets?

How about the requirement for them to go to a kind of a remediation portal where they would like the users to go on and download certs and the profile.

Thanks

Nadeem

Nadeem Khan CISSP, CRISC

Network Consulting Engineer

Cisco Services

Cisco Security Solutions - Integration

nadeekha@cisco.com

Mobile: +1 416 8199934

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html

gbekmezi-DD · ‎09-14-2016

I’ve been looking into this a little bit and I don’t think what you want to do is possible natively. One option may be to host a website that leverages the ISE API on the backend allowing a user to enter their MAC address when they are ready to be provisioned and move that endpoint into an identity group that will follow the provisioning flow. Here’s a resource which may be helpful: https://communities.cisco.com/docs/DOC-66297#jive_content_id_Update_Endpoint__Statically_Assign_to_an_Identity_Group

George

hslai · ‎09-16-2016

What is the customer's process in provisioning a MAC with an endpoint certificate?

ISE BYOD is designed for personal devices mainly but not restricted to them, so it could be used for provisioning corp devices. Anyhow that is merely a suggestion and it really gets down to what's available and what's acceptable.

Craig Hyps · ‎09-16-2016

Lots of good proposals here. Oddly sounds like customer wants to make process more complex than easier for their users where they separately download certs and profiles for manual application. If the user does not want to be provisioned, then why go to a provisioning WLAN in first place? Single SSID is also option where they log in using AD credentials and get provisioned with cert and EAP-TLS. AUP could be worded to read "Do you agree to get provisioned at this time?" If not accepted, then they do not proceed.

nadeekha · ‎09-16-2016

Thanks for all the proposals!

I will take all these suggestions back to the customer and see what they want to do.

Nadeem Khan CISSP, CRISC

Network Consulting Engineer

Cisco Services

Cisco Security Solutions - Integration