cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12759
Views
205
Helpful
33
Replies

Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

ciscomoderator
Community Manager
Community Manager

With Eric Yu and Todd Pula 

 

Eric YuTodd Pula

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.

 

Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 

 

Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.

 

Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   

 

Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.

 

Remember to use the rating system to let Eric and Todd know if you have received an adequate response.

 

Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

33 Replies 33

Based on the error, it sounds like you don't have a corresponding client provisioning policy defined under Policy > Client Provisioning for the OS in question.  Setting the OS on the native supplicant profile is more of a filtering option.  For example, with the OS set to all on the profile, I can assign the same profile to any OS defined in the client provisioning policy.  If I restrict it to Android, the profile will not show up as an available profile when I try to define a Windows client provisioning policy.  

Hi Osita,

The format of this  forum may not be the best way to help you troubleshoot this problem. I recommend  Cisco TAC to be engaged at this point to help you effectively resolve the ISE onboarding problem.

https://tools.cisco.com/ServiceRequestTool/create/launch.do

-Eric

For the WLAN in question, if you navigate to WLAN > [WLAN ID] > Advanced, do you have Allow AAA Override checked and is the NAC State set to Radius NAC?  If you navigate to Security > RADIUS > Authentication and select the server index for the ISE policy node, is Support for RFC 3576 enabled?  I am assuming these are correctly configured as this previously worked but want you to confirm. 

I have 2 Client Provsioning profiles (See attached), one for Iphone and the other for Android and the Result for both points to the Native Suplicant Profile that I created which has OS set to ALL.

The WLAN and Security (Radius --> authentication) are configured as asked in your question with support for RFC 3576