Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3290
Views
0
Helpful
11
Replies

Cisco ISE 1.1.1 - Single SSID

Go to solution
David Boos
Level 1
Level 1

‎08-12-2012 04:11 PM - edited ‎03-10-2019 07:24 PM


I'm working on our ISE implementation and these are my two goals.

1.  Single SSID for BYOD users and corporate managed systems.

  • Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
  • AD login required to join this SSID, no guests allowed

2.  Guest SSID

  • Guest login only - requires sponsor
  • web agent required for windows machine
    • AV required
    • Current AV definitions required

Are these goals attainable or am I better to go in a different direction is my first question.

Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

Single SSID is specifically mentioned here:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Boos

‎08-13-2012 10:57 AM

David,

What the documentation did was that it created a condition which does the check for the ssid in the access-request:

Guest_Authz is a user-defined simple authorization condition for guests  accessing the Internet via Web authentication through the WLAN  corresponding to the open guest SSID. It matches the following RADIUS AV  pair from the Airespace dictionary: 

     Airespace-Wlan-Id - [1] EQUALS 1

So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-12-2012 05:10 PM

Hi

The single ssid will work for your internal users for both byod and posturing. You can create a condition for all your corporate machines, whether that is a file check or registry setting and use dynamic vlan assignment for one vlan and then use a seperate vlan for registered byod devices.

As far as guest users you will need a separate ssid, in order to use mac filtering and you can use the device registration webauth, to statically assign users to an endpoint group.

I chose this way in recent deployment so that internal machines and registered byod devices are unable to access the guest network.

Hope that helps!

Tarik Admani

0 Helpful

Go to solution
edondurguti
Level 4
Level 4

‎08-12-2012 08:18 PM

You can mess with profiling for that. For example create a profile with attribute that has to match a domain name for example;

Domain NOT EQUAL yourdomain.com = not_joined_pcs

Then based on that create authorization profile redirects to registration or whatever u want.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
David Boos
Level 1
Level 1

‎08-12-2012 08:38 PM

Thanks for the replies I'll give it a shot tomorrow.

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Boos

‎08-12-2012 08:43 PM

You don't have to use profiling for what I suggested. You can use static endpoint assignment via the device registration web authentication portal.

0 Helpful

Go to solution
David Boos
Level 1
Level 1

‎08-13-2012 07:04 AM

So how should my WLAN be configured? Should it be open with MAC filtering + NAC State set to RADIUS NAC and ISE set as the RADIUS server?  or should the WLAN be setup with 802.1x authentication?  If it's setup with an Open SSID I'm not sure what the supplicants should be setup with as they all refer to WPA2.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Boos

‎08-13-2012 08:58 AM

David,

Do you want to also include guests on the same SSID? If not, then your internal corporate SSID will have to use WPA2 AES with dot1x set for key management. Your "open" will have to use mac filtering with radius nac enabled on both ssids.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 09:51 AM

I'd like guests to use an external SSID, these would be sponsored through the sponsor portal.  Anyone in active directory would use the corporate SSID, I'd like to use the same SSID for both provisioining and corporate resources. 

In conclusion two SSIDs total one for the guest network and one for the corporate.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Boos

‎08-13-2012 09:56 AM

Sounds great,

For your internal SSID you will use the settings for wpa2, AES and then dot1x for you key management. Your internal users will have to join the network using their AD credentials in order to get redirected to the device registration portal followed by the supplicant provisioning portal. Once they are registered, coa will trigger and then will reauthenticate and hit the "registered devices" policy so they can get network access.

Let me know if clear things up a bit.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 10:51 AM

Got it, other question I have is in this section

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp505892

Specifically this diagram -

http://www.cisco.com/en/US/i/200001-300000/290001-300000/292001-293000/292716.jpg

What is the Guest_AuthZ profile - how do I build it or what goes into it?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Boos

‎08-13-2012 10:57 AM

David,

What the documentation did was that it created a condition which does the check for the ssid in the access-request:

Guest_Authz is a user-defined simple authorization condition for guests  accessing the Internet via Web authentication through the WLAN  corresponding to the open guest SSID. It matches the following RADIUS AV  pair from the Airespace dictionary: 

     Airespace-Wlan-Id - [1] EQUALS 1

So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to Tarik Admani

‎08-13-2012 02:25 PM

Got it, that makes sense now.

The next question I have and then I think my Guest SSID up and running is I am currently utilizing two ports.  E/0 is part of my default VLAN (172.30.16.x) and E/1 is on my guest VLAN (192.168.1.x), I originally set it up so that when you joined the guest SSID you would be on the guest VLAN and talk to ISE on that port, I'm thinking the best way to go about it would actually be to join the management VLAN, Authenticate, move to the Guest VLAN.

Is there a way to after authentication move a system to another VLAN?

0 Helpful
Customers Also Viewed These Support Documents