Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
10
Helpful
4
Replies

ISE BYoD Policy Set Conditions

Go to solution
Scott Gillies
Level 1
Level 1

‎11-29-2018 07:51 AM

Hi, I have a test BYoD service that performs on-boarding with certificate and an EAPTLS journey for the client.

 

A colleague created the ISE BYoD Policy Set with conditions

Radius:NAS-IP-Address equals <WLC IP Address> or

Radius:NAS-IP-Address equals 127.0.0.1

 

He can't remember why but he needed to include the line

Radius:NAS-IP-Address equals 127.0.0.1

 

I have searched high and low but cannot find any Cisco documentation that explains the need for the 127.0.0.1 local host address. Does anyone know the reason for including the localhost address?

 

Thanks in advance

 

Scott

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-30-2018 02:48 AM

Looks bizarre. It's certainly not the norm.  I don't see how that 127.0.0.1 would be routeable to the ISE PSN node.

Have you removed that condition to see whether it's actually required?

View solution in original post

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-30-2018 09:22 AM

It is required for onboarding flow that utilizes EST, which is specific to Android devices version 6+ ATM. It is a EST server that lives locally on each PSN node thus the local loopback address. It is noted as "ISE_EST_Local_Host" in the following document which is essentially the same thing as saying "request from localhost". EST flow requires server to authenticate the client and forcing the user to provide credential and validating is how EST server validates the EST request is from authenticated source.

https://community.cisco.com/t5/security-documents/android-byod-provisioning-error-quot-certificate-generation/ta-p/3733734/message-revision/3733734:2

 

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎11-30-2018 02:48 AM

Looks bizarre. It's certainly not the norm.  I don't see how that 127.0.0.1 would be routeable to the ISE PSN node.

Have you removed that condition to see whether it's actually required?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-30-2018 07:54 AM

Doesn’t make sense to me either. Not needed
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-30-2018 09:22 AM

It is required for onboarding flow that utilizes EST, which is specific to Android devices version 6+ ATM. It is a EST server that lives locally on each PSN node thus the local loopback address. It is noted as "ISE_EST_Local_Host" in the following document which is essentially the same thing as saying "request from localhost". EST flow requires server to authenticate the client and forcing the user to provide credential and validating is how EST server validates the EST request is from authenticated source.

https://community.cisco.com/t5/security-documents/android-byod-provisioning-error-quot-certificate-generation/ta-p/3733734/message-revision/3733734:2

 

Go to solution
Scott Gillies
Level 1
Level 1
In response to howon

‎12-03-2018 03:23 AM

Thank you so much.

He was using the 127.0.0.1 IP Address instead of the 'localhost' element to keep it consistent with the other NAS entry. :)
Both work. Excellent.
0 Helpful
Customers Also Viewed These Support Documents