cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How To: Using dCloud and ISE with a Mobility Express Controller

215
Views
0
Helpful
0
Comments

     

    The following document will enable you to add a Mobility Express Controller to your ISE instance in dCloud.

     

    You will need a dCloud ERK (Endpoint Router Kit) to be able to use the Mobility Express controller with the dCloud Mobility Deep Dive demo.

     

    This validation was done with the following models:

    3802l

     

    The Secure Access Wizard does not provision the ME-Controller but could be used if you run the Secure Access Wizard Demo and then add the ME Controller to ISE with same WLANs. This hasn't been validated and we will not go through that in this document.

     

    Reference docs:

    Use the Configuring Cisco Mobility Express AP with ISE as a general configuration guide for Mobility express starting with 8.7 code

    The Cisco Mobility Express Deployment Guide shows how to convert AP to ME

     

    Connect your AP behind your dcloud Endpoint Router Kit or into a POE switch connected behind it. The POE port will need to be in the data plan associated with your demo

     

    if the AP is not setup as mobility express you will need to do the following:

     

    MAYBE Shut off your vWLC in dcloud so the ME doesn’t connect to it. You want your ME AP to be the controller.

     

    Connect to WKST1. Launch browser and download the ME controller files needed per the guide depending on your AP model and state. Mine was connected to my dcloud WLC so i had to do the following

     

    Download mobility express software for my AP 3800 (note 8.7 code is supported with ISE COA, URL redirect, etc)

    I  put the file in the TFTP64 directory which is the root

     

    Try to ping WKST1 TFTP64 198.18.133.36

     

    Convert your AP to be a controller

    ap-type mobility-express tftp://YOUR TFTP address/<filename of TAR file with path from root on the TFTP server>

    ap-type mobility-express tftp://198.18.133.36/AIR-A3800-K9-ME-8-7-106-0.tar

     

    When running the MEAP setup wizard

    username/password admin/C1sco12345

    management ip from DHCP

    management DHCP scope? unknown

    Setting up an SSID is just for basic setup and is not used with ISE - this doesn’t matter, just moving past the screen

    Employee network name: mymeap

    security ENTER for PSK

    key C1sco12345

    other stuff use defaults

     

    Now you should get a Cisco Controller prompt

    login

    ping ise at 198.18.133.27

    This means management is able to get to ISE

     

    Add your controller to ISE in dCloud

    show interface summary

    the management IP comes from the data vlan for your dcloud demo

     

    Add ME controller to ISE

    WKST1 launch firefox and login to ISE

    Administration > Network Resources > Network Devices

    Add a network device

    Enter your AP management IP address

    Check the box to enable RADIUS Authentication Settings

    Enter shared secret C1sco12345

    Submit the page

     

    Launch another tab and connect to your MEAP https//ipaddress

    Login with admin creds

    Switch to expert View

    COPY FROM HOSUK’s doc

     

    ISE IP Address 198.18.133.27

     

    Only do the guest portion to show its working

    need to copy the url from the WLC when setting up the WLAN

    example: me_cwa_acl_redirect_1

     

    Skip SECURE/BYOD network

     

    Need to modify the authorization profile for the guest policies using the

    Policy > Policy Elements > Results > Authorization > Authorization Profiles

    Duplicate the HOTSPOT_REDIRECT Profile and name it HOTSPOT_REDIRECT_ME

    under the Common Tasks > Web Redirection change the ACL to the same one found when you created your WLAN

    me_cwa_acl_redirect_1

    Also make sure your Value has a portal selected

    Hotspot Guest Portal (default)

     

    Submit the profile

     

    Navigate to Policy > Policy Sets > Guest Access > View the policy set

    Expand the authorization policy

    find the Hotspot Redirect and change the Results/Profiles to HOTSPOT_REDIRECT_ME

    Save the policy

     

    Save off your dCloud session. This can be used over and over again. If you move your mobility express controller behind another ERK then you will need to update your ISE Network Access Device with the new IP Address. This is because each dCloud router has their own private network

     

     

    CreatePlease to create content
    Ask the Expert- Firepower configuration & troubleshooting