06-30-2016 08:38 PM
I received this question in email. Answering here for public consumption, etc.
----- Original Question -----
I have a customer looking to implement a Base ISE solution with an opportunity to grow to Advanced ISE.
One of their requirement is Single Sign on SSID.
We’re in the middle of a POC and one of the questions that came up today is that the partner stated if the customer wants to use Single Sign on SSID they will lose the benefit of a Captive Portal page for Guest BYOD.
The ideal scenario is:
Corporate Employees connect and are pushed to VLAN 57 and move through the provisioning process with corporate owned devices.
Guest, Contractors, Vendors, or employee personal devices connect and are pushed to VLAN 21 and then connect to a Captive Portal Page with the Terms and Conditions.
Do we support captive portal with Single Sign On SSID?
------ Answer -----
This is one of those cases where different technologies & use cases seem to be getting mixed up in translation.
1. Single Sign on SSID: So this term in and of itself seems to be a mixture of terminology/technology. I assume we are talking about Single-SSID Onboarding. This is the process of using a secured WLAN (i.e.: WPA/WPA2) that prompts an employee for authentication credentials (i.e.: using 802.1X authentication) & automatically runs the user through the Native Supplicant provisioning (aka: onboarding) process; leveraging those credentials that were used to authenticate to the secure WLAN. When it is all said and done, the endpoint is going to authenticate to the network automatically from now on using the certificate that ISE issued it & EAP-TLS..
Note: this is a secured WLAN, meaning you must already have credentials, or you cannot associate to the wireless access-point. It's a fundamental principal of wireless networks that a WLAN can either be open or secured with a keying technology (i.e.: WPA). A single WLAN (SSID) cannot be both OPEN and Encrypted at the same time - it's not possible at all with 802.11 (Wireless), even though wired networks provide more flexibility.
Note: even with closed/WPA2 protected WLANs, you can always redirect to a portal and get another set of credentials. There is no restriction there. In fact, we have an entire solution that use EAP-TLS for the first auth & a Centralized Web Auth (CWA) for the 2nd Auth to provide a dual-auth scenario for customers. So there are no technical limitations from ISE to prevent this, but it still doesn't meet your use-case of Guests/Contractors.
2. Guest, Contractors would not typically have credentials already to enter into the network manager/supplicant. I.e.: when you connect to the corporate network at work, it prompts for credentials to use in the 802.1X authentication & uses WPA2 for encryption.. There is no way to join that network without inputting credentials (see #1 above). SO: How would a Guest or Contractor use the 802.1X secure network? They would need to have their credentials already given to them on a printed paper or SMS or email, etc. & then use those credentials when prompted for a username/password. They Cannot Join the WPA2 protected SSID without credentials & be redirected to a WebPage for authentication, because the wireless would never even allow them to associate.
This is why most Guest / Contractor type access is handled with Open SSID's - ones that don't require credentials before associating over the radio frequencies.. Instead you connect to the OPEN network & are redirected to the WebAuth portal for your credentials, which authorize you for that guest networking experience; or even to request credentials right from that WebAuth portal, etc. etc. etc.
Note: Now with the WLC version 8.3, we can even use WPA2/PreSharedKey type networks instead of just OPEN. But you would still need to provide a pre-shared key / passphrase before association to the wireless AP. Both the Open & the pre-shared key type WLANs would allow the centralized portal for authentication.
-- Short Answer --
This is not an ISE limitation, you are asking to do something that standard 802.11 wireless networks cannot do: be both Open & Closed at the same time.
07-01-2016 11:25 AM
So I see, we just simply can't do MAB over 802.11 wireless LAN. ah~~
03-12-2018 03:54 PM
I disagree with the above answer!
Cisco could have created a simple portal page that could have had three buttons when connecting to an open SSID such as guest, for example 1. Accept, 2. Decline and 3. Employee. If clicked on Accept it would allow guest access and if clicked on Employee it would take you to the BYOD page for authentication and registration of your device.
I have experience building Cisco ISE and Aruba Clearpass, both works different, with Cisco you have to have Guest open SSID, BYOD SSID, and Employee SSID. On the other hand Clearpass you only setup two SSIDs Guest and Employee.
Cheers...
03-12-2018 04:13 PM
With ise you can have one SSID if you like
You can set portal settings to have a guest type for employees and register their endpoints under another group
There are many ways to skin the ISE cat so let us know the flow you would like and will come up with a solution
For example
authorization rules
If guest flow and employee then redirect to BYOD portal
If guest endpoint then guest permit
If mab then redirect to guest portal
There is also customizations Under guest and web auth page to have a button for guest hotspot and otherwise login
https://communities.cisco.com/docs/DOC-64018?mobileredirect=true#jive_content_id_Special_Flows
03-12-2018 04:49 PM
Thank you for the comments, I understand your point, the question is if you can consolidate SSIDs and have one open SSID for guest and BYOD registration and one for BYOD/Employee secured access.
Most of the organizations drop their guest traffic in a DMZ zone and ISE cannot switch vlans in an anchor and foreign wireless controller environment. On the other hand if you configure single SSID for BYOD flow Android devices present the user with an authentication that is impossible for an end user to complete the process, the user has to choose certificate, type of authentication, etc.. For a dual SSID in a BYOD flow you can have an open SSID and a secure access which is not possible using guest open SSID. So you have to have an open Guest SSID, an open BYOD-Onboarding SSID, and a secured BYOD/ Employee access SSID.
03-12-2018 05:15 PM
It all depends what you want to do and how you want to accomplish it
Here you’re mixing many options and saying ise is a problem where it’s not. Also not sure exactly what you’re trying to accomplish here since you might be using the term BYOD for just providing internet access or doing
On an open ssid we can be flexible depending on how you want your flows
Ise can change vlans but on an open ssid there is no supplicant to handle the IP change. You may want to set a low dhcp timer in originating vlan
You can also provide different flow acl
If guest then permit internet
If BYOD employee and android allow internet redirect on internal to go through BYOD flow
Would recommend you also look at the BYOD how to, this shows an example of how separation is done
03-13-2018 06:45 AM
You can create a guest flow for this on the open ssid with integrated byod registration including NSP which can also publish certificates to the client and configure the supplicant for the user. But then you are facing the problem the Guest WiFi profile still exists on the device and has to be manually deleted by the user. The current problems are the mixture of devices and with android its getting worse due to the segmentation of the vendors. A NSP flow on a Samsung Android might work but not on an LG and for the Samsung only if the device is not older than 2 years because the OS isn't getting any updates.
the scenario you are describing could be achived with 2 SSID's
1 open Guest/BYOD Provisioning SSID
1 Corporate Secured SSID
but as jakunst wrote there are mutliple options to achieve this task with a ISE based on the customer requirements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide