cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5899
Views
4
Helpful
41
Replies
Community Manager

Ask the Expert: BYOD with Identity Services Engine

Read the biowith Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

41 REPLIES 41
Participant

Re: Ask the Expert: BYOD with Identity Services Engine

hello Bernardo,

Could you please tell me the minimal version of Mac OSX that's supported for auto-provisioning / client onboarding?

We're running ISE 1.1.3, and were able to onboard Windows 7, Apple iOS, and Android devices, but not a MacBook in our tests.

The MacBook was quite old, so we'll find another Mac OSX device to test, but wanted to know what the minimal requirement is.

===

Also, we followed a Cisco BYOD guide to do onboarding for Android devices, by allowing tcp & udp ports 5228, 8889, and 8880 to Google subnets in the WLC re-direct ACL.

However, we found that's not enough, and had to also allow tcp 80 & 443, otherwise client Android deivce would not be able to connect to Google Play & download the Cisco network setup assistant.

This creates confusion for the end users, because they wouldn't get redirected when they browse to google.com, until they hit a non-Google URL.

Is there any way around this caveat?

I know it's not Cisco's fault that ports 80 & 443 are required for Google Play to work, but was just wondering if anyone's found a good way to work around this.

===

Because of the Android Google Play caveat above, we tried to use a different redirect ACL on WLC, just for Android devices, so that all the non-Android users would be redirected when they browse to google.com, as an attempt to cut down confusion (by not having permits to Google subnets in the RACL).

Unfortunately it's not working.

When Android users connect, WLC realizes it's supposed to use a different ACL called "ACL-REDIRECT-GOOGLE".

I can see it when I click into the client details on the WLC.

However, the ACL hitcount remains zero.

If you happen to know what's causing this issue on top your head because you've seen it before, please let me know.

Otherwise we can just open a TAC case, since it'll probably require some sort of debugging, which is hard to do through a NetPro forum.

===

thanks!

Kevin

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Kevin,

What Mac OS version were you running? It should be supported from Mac OS X 10.4:

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp269183

I've also found information that it's supported from 10.5.2 only (perhaps only applicable to Agent 4.9.x versions).

Regarding the Google play issues, the recommendation is to allow traffic to the IP addresses of the google play stores. You can verify your regional IP addresses with nslookup play.google.com. This will not interfere with the google page.

Regarding the ACL, if you do see it applied correctly on the WLC but there aren't any hits, the best is indeed to open a TAC case for the WLC.

Thank you and best regards,

Bernardo

Participant

Ask the Expert: BYOD with Identity Services Engine

hi Bernardo,

Thanks for providing the link to the supported OS & Java versions, but it's for NAC/Clean Access.

We're seeking supported OS & Java versions for ISE client onboarding.

Is there a different URL, or the same system requirement applies for both NAC and ISE?

===

Also, we did open a TAC SR for the Google Play / WLC RACL issue, in case anyone was wondering.

Issue was two folds:

1. Bug on 7.2.111.3 - had to upgrade anchor WLC's to 7.4.100.60. (other versions may also work, but we went for the latest)

2. The redirect ACL also had to be present on the foreign WLC, in addition to anchor.

After above two steps were performed, WLC was able to properly use the correct redirect ACL when onboarding Android devices, and allow access to Google Play.

===

thx

Kevin

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hi Kevin,

I'm happy to hear the issue with Google Play was resolved ;-)

The Agent information is common to both ISE and Clean Access 4.9. As far as I know, this info is listed only in CCA documents but applies for ISE as well.

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo,

How are you? Hope everything is OK.

As a new guy that wants to start using and configuring ISE, is there anything like "quick start guide" for configuration?
Or basic configuration examples?

I am aware that there is a user guide but from my experience it is not handy when you want quick hints only.

If there is something like config examples for the basic and most common scenarios that will be more useful and more time-saving.

Regrards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Amjad,

ISE is quite a complex product and I'm not aware of any quick start guide for it. Are you looking for information in any particular subject?

There are a few example configuration guides for specific scenarios here, does this help?

http://www.cisco.com/en/US/products/ps11640/prod_configuration_examples_list.html

Thank you and best regards,

Bernardo

Ask the Expert: BYOD with Identity Services Engine

Thank you Bernardo,

Thank you for the config examples link.

I understand that ISE is a complex product and is not really easy. But I was thinking if there is a guide or something for those people coming from ACS 5.x perspective.

The config examples are really helpful if followed to make one understand the configuration procedures.

Thank you.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Beginner

Ask the Expert: BYOD with Identity Services Engine

Hi Bernardo,

I'm very glad to know that I can ask all my questions to an expert in the ISE domain. 

For this topic, I have to make a matrix comparative between ISE on vmware and ISE on physical appliance, could you help me to present it as simple possible? my problem is that I don't have enough points of comparison

Thanks in advance

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo:

I have a couple of issues related to Guest Sponsor and Guest Activity

1) I already have the ISE communicating with the AD successfully. I also had modified the AuthC rules to validate that only my customer employees have access to the SPONSOR Portal. But the customer is worried about AD security; I understand LDAP is not secure so the option is to use LDAPS, but the customer does not like to provide us with the Certificate Root Certificate ... So the questions are, How dangerous can be the ISE vs AD connection? Is it really unsecure? What other options we may have?

2) The same customer likes to get guest activity reports (actually I just waiting to be allowed to access the ASA). The ISE is a 3315 model; I had read the manual indicating that automatic backups are done when the disk space reach 80% (default) and only last 90 days (default) are keeped on the system. The questions are about how apply this parameters in this model ... I mean 80% of 500 GB (factory HD) or 80% from something else ...

On the other hand could it be possible to set the ASA send syslog messages somewhere different to ISE and then the ISE retrieve the data to generate the guest activity report?

Regards.

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello,

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

2) The backups are triggered when the MNT node's disk is 80% full.

ISE will not actively fetch the data for the guest activity report, the ASA must be configured to send the syslogs to ISE directly.

Thank you and best regards,

Bernardo

Beginner

Ask the Expert: BYOD with Identity Services Engine

Thanks for your reply

you said:

1) Are you using AD or LDAP? These are 2 different things... If you configured AD as an external identity source then the traffic between ISE and the DC is protected.

If you configured LDAP then some information is sent in clear text. LDAPS will not have this issue because all traffic is encrypted.

If the customer doesn't want to share the root certificate then AD as external indentity is probably the best option.

The question is how is the traffic between ISE and DC protected? The customer request us to use LDAPS because they know the communication with AD is usually in clear text using LDAP ... is it right?

Best regards

Daniel

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Daniel,

The customer request us to use LDAPS because they know the communication with AD is usually in clear text using LDAP ... is it right?

LDAP is a protocol to communicate with directory services. LDAP sends sensitive information in clear text.

The directory service (DS) can be Microsoft AD or other vendor's own directory service implementation.

There are multiple protocols that communicate with DS.

Microsoft Active Directory has its own protocol to communicate with its own DS. This protocol is secure and encrypted. ISE is capable of using this protocol to communicated with Microsoft AD DS:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1079999

LDAPS is also secure and encrypted.

Thank you and best regards,

Bernardo

VIP Mentor

Ask the Expert: BYOD with Identity Services Engine

Hi

What are the main additional features of ISE 1.2 compare to the current version & when it is expect to release ?

Rasika

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hi Rasika,

In short, there will be many enhancements to existing features, such as:

  - Guest and Sponsor pages

  - Reports and Alarms

  - Live authentications page

  - NAC Agent

  - Performance and scalability

Some new things are also being added, for example:

  - Interoperability with MDM

  - MAB from non-Cisco switches

  - Wildcard certificates support

  - Support for Windows AD 2012

Were you looking for any particular enhancements?

I recommend going through the release notes once the release is available, for more information and an extensive list.

There is no clear release date yet, but it's expected to be available towards the end of the month/beginning of August. However, keep in mind it may be subject to delays depending on the dev test results.

Thank you and best regards,

Bernardo