I want the ISE 802.1x to only PEAP-MSCHAP-V2 without provisioni

jverdesca · ‎01-17-2014

Hi All,

I'm using an ISE v1.2 to authenticate corporate users connecting to a Corporate SSID with WPA2-Entreprise (802.1x). The client isn't planning to implement a PKI Infraestructure to use EAP-TLS, so they want to authenticate using only PEAP-MS-CHAPV2 with user credentials.

It is working right now but I don't want the ISE to redirect Android phones to Google Play (Because the Network Setup Assistant is not needed, there are no certificate enrollment needed, in fact when I open the application it doesn't even communicate with the ISE).

The following is the procedure when I connect my Android device:

1) Enter user credentials <--- ok

2) Redirect to my devices Portal <--- ok

3) Register the device <--- ok

4) Redirect to Google Play <--- not needed

5) I cancel and connect succesfully

What I want is the user to register their mobile devices using "My devices Portal" and with that CoA grant access but without provisioning. When I set it that way(no client provisioning policies) the ISE cannot get the Device ID(MAC-Address) to register at my devices portal (even setting the "Native Supplicant Provisioning Policy Unavailable=Allow Network Access")

I've attached two screenshots from the Android Device:

NO ID.jpg = ISE cannot get the MAC-Address.

NSA.png = Network Setup Assistant cannot find ISE.

If you need any screenshot of the ISE config let me know.

Thanks in advance,

Regards,

Tarik Admani · ‎01-17-2014

I saw your message in a different post so this is an android device. Basically the CNA app for the android is needed to pull the peap profile, but if you are using peap already and are looking to bypass the CWA after entering peap credentials, we need to set your authorization policy so that if the device is registered, and PEAP is used you can then get through without redirection.

If you are relying on profiling i.e. Android + PEAP + Registered + AD Domain Group, you may not be matching the endpoint profile or identity group and are probably skipping this rule. See if you can modify the Android to Registered..(drawing a blank to the proper name of the endpoint group for registered devices).

Anyways give that a shot or post your authorization policy so I can double check how the flow is working on your end. Also send a screenshot of the endpoint after it is registered as well.

Thanks,

Tarik Admani
*Please rate helpful posts*

jverdesca · ‎01-18-2014

Hi Tarik,

Thanks for your answers,

I've attached my configured AuthZ rules and AuthZ profile for provisioning,

I want the process to be the same for iPhone, Android and Windows.

1) Connect to the SSID

2) Login using your AD credentials PEAP-MS-CHAP-v2

3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)

4) As soon as the client click "register" no more redirects and PERMIT-ALL

I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:

1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"

2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)

3) everything else = DENY-ALL

But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)

What screenshoot do you need after the registration? the Auth report?

Thank you very much for your time!

I want the ISE 802.1x to only PEAP-MSCHAP-V2 without provisioning