With Jacob Ideji, Richard Hamby and Raphael Ohaemenyi
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access . Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio. Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v18.104.22.168 and higher, end-to-end wireless BYOD integration is reality.
Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
Richard Hamby works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams.
Raphael Ohaemenyi Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.
Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
What identity store are you using to authenticate these users? Do you have them manually imported into ISE, or you are using the dynamic with the help of profiling. If you are using the dynamic, I have seen a known delay between when the device is profiled and when the endpoint goes through authorization. Therefore you will hit the deny access first since the device is not profiled yet to the correct identity store. Please let me know your setup in regard to identity store.
Thanks for your reply, I am using Active Directory store, I don't have them manually imported into ISE or anything.
I have tried using local store on ISE but it would not help, same thing would happen, it's kinda delayed.
Is there anything I can do to overcome this delay or should I just live with the fact that users will have to try twice for once in their life .
I wanted to ask, if there will ever be the possibility in ghe ISE to customize the NMAP database in order to manually add new services to scan.
We are having problem with Windows + PEAP + LDAP on Cisco Secure ACS 5 because windows doesn't support
PEAP EAP-GTC out of the box. So we have to get around by provinding a guest wireless with webauth only because of the windows machines.
Can you confirm that ISE allow to get round this issue ? I.E we can authenticate windows users using
802.1x and an ldap database without doing anything on the windows side ?
802.1x specifically requires a supplicant on the client to work, so there's no way to do 'passive' 802.1x without a supplicant being configured. With ISE, you have the option of doing client provisioning/posture/remediation, so you may be able to provide the clients with the needed resources.
Thanks for the answer, but android and IOS devices as well as linux and Mac OS do not need any specific configuration. So now, whether those devices already have a supplicant that supports 802.1x or whaterver else, there is no need to confuigure them ! They get the certificate and enter a login and password once, and that's it.
And as far as I am aware, Microsoft does the same thing, but it only works with AD because ldap doesn't work with MSCHAP v2
So maybe I should rephrase my question. Can this product use an LDAP database and authenticate widows clients ?
Yes - I may have misunderstood your question, I thought you were asking if there was a way to by-pass the Windows supplicant and perform 802.1x PEAP-GTC against ISE if the Windows supplicant is missing the GTC plugin.
Many of the more intelligent supplicants auto-configure based on the security type detected (very nice feature). They still need to be able to support the EAP type and inner method the RADIUS server has available, thoguh. For example (as you pointed out), an iPad can automatically utilize EAP-GTC and not require PEAP/MS-CHAPv2 (as long as the RADIUS server is configured for GTC).
So - as you ask, can ISE perform LDAP authentication with Windows devices ? The rules are essentially the same for ACS5 and ISE when it comes to using an LDAP external identity store. If the inner method between supplicant and RADIUS is MS-CHAPv2 (which is typical PEAP), we can't perform LDAP authentication.
If the LDAP server is able to return the user's password in clear-text, you can perform Local EAP authentication on the WLC using an external LDAP server (bypassing RADIUS). AD can not be configured to do this, some other LDAP servers can. Hence why EAP-GTC is an often-deployed as alternative when either the supplicant or server can't support MS-CHAPv2. But - as you are seeing, some supplicants don't have GTC support by default so they will fail the PEAP/MS-CHAPv2 auth and EAP-GTC isn't available as an alternative to them.
Are we on the same page or am I missing it again
Thank you very much for the answer. I think you answered my question this time
I'm still investigation this product as I beliveve we will still benefit a lot from it in other area.
We also use our Cisco ACS for managing authentication on our switches and many other devices. So my other question is, can ISE replace our ACS in that case or do we still need it ?
Thank you !!
One of the biggest differences in ISE and ACS with repsect to device management is TACACS support. ACS5 does TACACS, ISE does not. If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs. But personally, I think ACS is currently superior to ISE for this task.
We understand there are plans to add TACACS to ISE at some point in the future, but there is no published commit for it. My guess would be 18 months or so, but features are always very dynaminc so check back.
I have a question regarding WLC intergration wih ISE.
Iam looking into an application where you would want to have a wlc talking to an ISE appliance.
On the WLC there is one Guest SSID.
Authentication for this Guest SSID is tied to the ISE server.
I now want ISE to ask one of 2 radius servers for the authentication of the client.
The problem is how do i separate the 2 servers?
The radius servers are Windows Activedirectory servers with there radius service running.
There is no connection between the servers and they contain different users and such.
The function i want is for the ISE to choose radius server acording to user input besides SSID.
For instance say user brad in domain D1.local and andy in domain d2.local.
Is there a way that perhaps brad could typ firstname.lastname@example.org and andy type email@example.com and have them authoreised to the different radius servers? (Brad then is being authorised towards the first radius server and andy towards the second)
All this from the same SSID?
Do you have two domains with trust relationship? if yes, then you can add one domain to ISE and have these users authorized based on their group membership. On the other hand if you don't have trust relationship your best solution depends on authentication requirements and EAP methods.
EAP-GTC or EAP-TLS w/ LDAP