cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1588
Views
12
Helpful
11
Replies
Highlighted
Cisco Employee

ISE BYOD handling of expired or expiring certs

Hi

I know we have the option since some time back to allow a client whose cert is expired/expiring to the onboarding portal.

I also remember some good slides (ISE techtorial or similar) that described the config to cover for different client OS...

Can anyone point me to those slides?

Regards

Hakan

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Maybe others can followup regarding the deck, but the configuration is same for any client OS. There is an attribute in the authorization condition called 'CERTIFICATE:Days to Expiry'. With that you can craft an Authorization policy rule that reads, 'If CERTIFICATE:Days to Expiry is less than 15 days, then assign BYOD flow' which forces user to go through the BYOD process again. Now if the certificate already expired, then the endpoint will not be able to associate to the secured WLAN as ISE will deny access due to invalid certificate, to cover that scenario, you can allow dual-SSID BYOD flow in the guest WLAN and force them through BYOD flow when employee user logs into the guest portal.

View solution in original post

Highlighted

Arne, actually you caught my error there. You should create a CWA portal that forces BYOD for employees instead of BYOD portal and use it during expired certificate flow on 802.1X WLAN. Quick step here:

1. Create CWA portal that forces employee to go through BYOD (You can reuse existing one if present already)

2. Create AuthZ profile for CWA, make sure to check 'Display Certificates Renewal Message' option

Screen Shot 2018-09-25 at 1.23.45 AM.png

3. Create policy that gets matched for 802.1X WLAN that user connects to using the certificate as following: "If CERTIFICATE:Days to Expiry LESS X" then assign the AuthZ profile created above

Screen Shot 2018-09-25 at 1.37.44 AM.png

Now, when the user connects to the 802.1X WLAN with the certificate nearing expiry, the user will get redirected per policy you created, and due to the 'Display Certificates Renewal Message' option used in the AuthZ profile, ISE will append 'daysToExpiry=Y' parameter at the end of the URL redirect string as shown below:

https://ise.example.com:8443/portal/PortalSetup.action?portal=babebabe...babebabe&sessionId=abeabeabe...abeabe&action=cwa&redirect=www.cisco.com%2F&daysToExpiry=11

User will be forced to login to the portal and then the BYOD renewal process will start. Instead of seeing 'Start' button, user will see 'Renewal' button.

Screen Shot 2018-09-25 at 1.36.02 AM.png

 

 

 

 

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

Maybe others can followup regarding the deck, but the configuration is same for any client OS. There is an attribute in the authorization condition called 'CERTIFICATE:Days to Expiry'. With that you can craft an Authorization policy rule that reads, 'If CERTIFICATE:Days to Expiry is less than 15 days, then assign BYOD flow' which forces user to go through the BYOD process again. Now if the certificate already expired, then the endpoint will not be able to associate to the secured WLAN as ISE will deny access due to invalid certificate, to cover that scenario, you can allow dual-SSID BYOD flow in the guest WLAN and force them through BYOD flow when employee user logs into the guest portal.

View solution in original post

Highlighted

Here is the screenshot of what is supported as part of CERTIFICATE attribute that you can add as part of authorization condition in the authorization policy under BYOD.

Highlighted

Hi @howon

 

I have ISE 2.4 patch 3 and I am testing what happens when a BYOD user is authenticated with a client cert that is about to expire.

I catch that condition in Authorization Policy, and I use an Authorization Profile as follows

Web Redirection = Native Supplicant Provisioning

On the client, I can get redirected and I see the following screen - the error seems to make sense - how does ISE know the user's identity, when they immediately get redirected to the NSP Portal without any authentication?

When I initially on boarded this user, I did it via Guest Portal - and there I can of course authenticate the user.  How does it work if I redirect directly to the NSP BYOD portal?

 

BYOD-error.PNG

Highlighted

Arne, actually you caught my error there. You should create a CWA portal that forces BYOD for employees instead of BYOD portal and use it during expired certificate flow on 802.1X WLAN. Quick step here:

1. Create CWA portal that forces employee to go through BYOD (You can reuse existing one if present already)

2. Create AuthZ profile for CWA, make sure to check 'Display Certificates Renewal Message' option

Screen Shot 2018-09-25 at 1.23.45 AM.png

3. Create policy that gets matched for 802.1X WLAN that user connects to using the certificate as following: "If CERTIFICATE:Days to Expiry LESS X" then assign the AuthZ profile created above

Screen Shot 2018-09-25 at 1.37.44 AM.png

Now, when the user connects to the 802.1X WLAN with the certificate nearing expiry, the user will get redirected per policy you created, and due to the 'Display Certificates Renewal Message' option used in the AuthZ profile, ISE will append 'daysToExpiry=Y' parameter at the end of the URL redirect string as shown below:

https://ise.example.com:8443/portal/PortalSetup.action?portal=babebabe...babebabe&sessionId=abeabeabe...abeabe&action=cwa&redirect=www.cisco.com%2F&daysToExpiry=11

User will be forced to login to the portal and then the BYOD renewal process will start. Instead of seeing 'Start' button, user will see 'Renewal' button.

Screen Shot 2018-09-25 at 1.36.02 AM.png

 

 

 

 

View solution in original post

Highlighted

Is there an update on this issue?

Is the only way to renew a BYOD certificate is through CWA?

 

Thanks

Highlighted

Yes that’s the only way for the client to be redirect to do so. This is not an MDM solution so we have no controls over the endpoint OS
Highlighted

no other way to renew without redoing the onbooarding process?
no difference in dual or single SSID?

Highlighted

Client needs new cert and that cert associated to the supplicant profile for EAP-TLS. That’s the only way outside of MDM

Page 36 - https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867
Highlighted

And with this setup (single SSID):

when the certificate is expired, does the user simply enter the NSP process to reinstall a valid certificate ?
therefore, no CWA with single SSID ?

 

 

2018-10-23 16_58_00-MS Word Template_102504 - Adobe Reader.jpg

Highlighted

After a few thoughts and tries, I think my question was not really understandable. In this scenario, i think the renouncement is also done by CWA !?

Highlighted

We force CWA as we need to confirm the user credential for the re-issuance of certificate. This is a way of making sure the user is indeed the user who was issued the certificate. Without this, any user who has access to the certificate pair would be able to gain access indefinitely. If this is not desired, then recommend extending the validity date.

With your policy, when the certificate expires, user will be denied access to the secure SSID unless ISE is configured to allow expired certificates. If you want to allow renewal flow then follow my example above where you are forcing CWA for secured SSID. Alternatively, user can connect to open/guest SSID to renew certificate provided that BYOD is enabled on open/guest SSID flow.