cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15203
Views
10
Helpful
3
Comments
Greg Gibbs
Cisco Employee
Cisco Employee

Introduction

With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.

The use of Azure AD credentials is an alternative to using a certificate-based method such as EAP-TLS (which requires certificate provisioning) or PEAP-MSCHAPv2. It can mitigate concerns with using other password-based authentication methods (like PEAP-MSCHAPv2) as it uses the employee’s email address as the username rather than exposing their on-premise Active Directory attributes such as sAMAccountName.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco ISE 3.0
  • Basic knowledge about SAML SSO deployments
  • Azure AD

Components Used

This configuration example is based on the following environment:

  • ISE 3.0 patch 2
  • AireOS-based Wireless LAN Controller (2500, 5500, etc) with software version 8.5 or higher
  • A separate Wireless SSID using Open authentication
  • Basic open internet access for employees
  • Azure AD user accounts associated with a BYOD Security Group

The following diagram illustrates the logical flow for the solution.

byod flow diagram.png

The lab used to validate the solution uses a single WLC, but the same solution will also work with a Foreign & Guest Anchor architecture.

Assumptions

The configuration herein assumes that an SSID has been created on the WLC for the BYOD network and the WLC has already been configured as a Network Device in ISE.

See the AireOS WLC configuration for ISE document for Open SSID WLAN configuration and best practices.

 

Configuration

SAML IdP Configuration

Step 1 – Create a new SAML Identity Provider for Azure AD

 

Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers and click Add.

create saml idp.png

Input the Provider Id Name and optional Description values and click Submit.

saml idp name.png

*** NOTE: At the time of this writing, ISE cannot create more than one SAML Id Provider with the same Azure tenant ID.

ISE Policy Elements and BYOD Portal

Step 2 – Create an Allowed Protocols list for MAB (if one is not already created)

 

Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols and click Add

allowed protocols add.png

Input the Name and optional Description, select only the Process Host Lookup option, and click Submit.

process host lookup.png
 

Step 3 – Create an Endpoint Identity Group for the BYOD endpoints

 

Navigate to Administration > Identity Management > Groups > Endpoint Identity Groups and click Add.

eig add.png

Input the Name and optional Description and click Submit.

 
eig name.png

 

Step 4 – Configure a Guest Type for the BYOD users


Navigate to Work Centers > Guest Access > Portals & Components > Guest Types and click Create.

 guest type create.png

Input the Guest Type Name and optional Description

guest type name.png

Under the Login Options section, select the Endpoint Identity Group previously created.

guest type eig.png

Configure all other preferred settings and click Save.

 

Step 5 – Configure the BYOD Portal

 

Navigate to Work Centers > Guest Access > Portals & Components > Guest Portals. Create a new Sponsored Guest Portal or select an existing one.

Input the Portal Name and optional Description.

byod port name.png

In the Portal Settings section, select the SAML IdP from the ‘Authentication method’ drop-down list and the Guest Type from the ‘Employees using this portal as guests…’ drop-down list. 

byod portal settings.png

Configure all other preferred settings and click Save.

 

Azure AD SAML SSO Configuration

Step 6 – Export the SAML IdP info from ISE

 

Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers and Edit the IdP.

Select the Service Provider Info tab and click Export.

saml export.png

 

Save and extract the zip file and open the XML file in a text editor. Record the following attribute values:

  • entityID
  • AssertionConsumerService Locations

Example:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://CiscoISE/655019f2-fa19-4517-a5f6-b59d3110830b"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIF6jCCA9KgAwIBAgIQYH/EmAAAAACOrCYAdmBsQDANBgkqhkiG9w0BAQsFADB5MSUwIwYDVQQD
...
snip
...
</ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://192.168.120.180:8443/portal/SSOLoginResponse.action" index="0"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ise30-sa.ise.xxx.local:8443/portal/SSOLoginResponse.action" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>

 

Step 7 – Create a BYOD Security Group in Azure AD

 

Login to the Azure AD Portal and navigate to Azure Active Directory > Manage > Groups

aad groups.png

 

Click New Group

new group.png

 

Configure the desired Group name, click the No members selected link and select the associated BYOD user accounts. Click Create.

group members.png

 

Record the Object ID for the new group.

group id.png

 

Step 8 – Register the Enterprise Application

 

Navigate to Azure Active Directory > Manage > Enterprise applications

enterprise app.png

 

Click on New Application

add app.png

 

Click on Create your own application

 

create own app.png

 

Name the application and ensure the Non-gallery option is selected. Click Create.

non-gallery.png

*** Note: A generic name was used as this application may also be used for other non-BYOD use cases in ISE.

 

Navigate to Manage > Users and groups

users and groups.png

 

Click on Add user/group

add usergroup.png

 

Under Users and groups, click on the link for None selected. Click the BYOD group created earlier and click Select.

select group.png

Navigate to Manage > Single sign-on

sso.png


In the Basic SAML Configuration section, click Edit.

basic saml edit.png

 

Paste the entityID and Location values recorded from XML file earlier in Step 6 and click Save.

saml config.png

In the User Attributes & Claims section, click Edit.

edit claims.png

 

Click on Add a group claim. Select the Security groups radio button and click Save.

add group claim.png

 

You should now see the Group claim added with a value of user.groups.

claim added.png

 

In the SAML Signing Certificate section, click the Download link for the Federation Metadata XML and save the file.

download metadata xml.png

Complete the SAML Configuration in ISE

Step 9 – Configure the SAML IdP settings

 

Navigate to Administration > Identity Management > External Identity Sources > SAML Id Providers.

Select the SAML IdP and click on the Identity Provider Config tab.

Click the Browse button and select the Federation Metadata XML file downloaded from Azure in the previous step.

idp browse.png

 

Select the Groups tab and input the following URL for the Group Membership Attribute.

Click the Add button. For the ‘Name in Assertion’ field, paste the Object ID copied from Azure in Step 7 and input a unique value for the ‘Name in ISE’ field. Click OK.

idp add group.png

 

Select the Attributes tab and click Add. Input the following values and click OK.


Name in Assertion

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Type

STRING

Name in ISE

username

 

idp add attribute.png

 

Select the Advanced Settings tab.

Under the Identity Attribute, select the Attribute radio button and select the available claims schema from the drop-down.

Select the same schema from the Email attribute drop-down. Click Save.
idp adv attributes.png

 

Complete the ISE Policy Configuration

Step 10 – Create the Authorization Profiles

 

Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles and click Add.

Create a new redirect Authorization Profile with the following values and click Submit.

 

Attribute

Value

Example Value

Name

<profile name>

AuthZ-Wireless-BYOD-Redirect

Description

<optional description>

 

Access Type

ACCESS_ACCEPT

 

Common Tasks

 

Web Redirection (CWA, MDM, NSP, CPP)

 

     ACL

<WLC ACL Name>

ACL-AAD-REDIRECT

     Value

<BYOD Portal Name>

Azure BYOD Portal

      
Example:

redirect authz prof.png

 

Create a new Authorization Profile to permit BYOD user access with the following values and click Submit.

 

Attribute

Value

Example Value

Name

<profile name>

AuthZ-Wireless-BYOD

Description

<optional description>

 

Access Type

ACCESS_ACCEPT

 

Common Tasks

 

Airespace ACL Name

<WLC ACL Name>

WirelessBYODAccess

 

Example:

access authz prof.png

 

Step 11 – Create the Policy Set

 

Navigate to Policy > Policy Sets and create a new Policy Set matching the BYOD SSID. Select the Allowed Protocols list of MAB created earlier.

Click Save and then click the > symbol next to the new Policy Set.


Example:

create policy set.png

Create a new Authentication Policy with a ‘Use’ value of Internal Endpoints. Click the dropdown for Options and set the ‘If User not found’ option to CONTINUE.

 

Example:

authc policy.png

 

Create the Authorization Policies for the redirection and successful authorizations. Select the access AuthZ Profile created in Step 10 (e.g. AuthZ-Wireless-BYOD) for the access policies and the redirect AuthZ Profile (e.g. AuthZ-Wireless-BYOD-Redirect) for the Default policy. Click Save.

 

Example:

authz policy.png

*** Note: The ‘BYOD User MAB’ policy shown above is to take advantage of the ‘Remember Me’ Guest feature. This policy can be skipped if this feature is not desired. See the ISE Guest Access Prescriptive Deployment Guide  following link for more information on this feature.

Configure the Wireless LAN Controller

Step 12 – Configure the Wireless LAN Controller Called Station ID

 

On the WLC, navigate to Security > AAA > RADIUS > Authentication.

Ensure that the drop-down setting for ‘Auth Called Station ID Type’ includes the :SSID value.

auth called station id.png

 

*** Note: The above configuration is necessary to allow using the Policy Set matching condition for Called-Station-ID in Step 11.

Navigate to Security > AAA > RADIUS > Accounting.

 

Ensure that the drop-down setting for ‘Acct Called Station ID Type’ includes the :SSID value.

acct called station id.png

 

Step 13 – Configure the Airespace ACLs used in the ISE Policies

 

Navigate to Security > AAA > RADIUS > Access Control Lists > Access Control Lists.

 

Click New and create an Airespace ACL to permit the desired access for the BYOD users.

In this example, a simple ‘permit ip any any’ ACL is used.

 

Example:

acl permit byod.png

Click New and create an Airespace ACL for the URL redirection. At a minimum, the ACL should Permit (bypass redirection) for Inbound/Outbound traffic related to the following.

  • DNS
  • DHCP
  • TCP/8443 traffic for the ISE BYOD Portal (unless a custom port was configured)

Example:

byod redirect acl.png

 

Return to the Access Control Lists page, click on the down-arrow next to the new redirect ACL and select Add-Remove URL.

acl add url.png

 

Add the following URL String Name values to exempt the traffic from redirection.

  • login.microsoftonline.com
  • aadcdn.microsoftonline-p.com
  • aadcdn.msauth.net

Example:

url example.png

Verify the configuration

In ISE, navigate to Work Centers > Guest Access > Portals & Components > Guest Portals.

Select the BYOD Portal and click the Test portal URL link.

portal test url.png

 

The browser will be redirected to the Microsoft login. Sign in with an Azure AD user account that is a member of the BYOD group created in Step 7.

 

Example:

ms login.png

 

Depending on the settings configured for the BYOD Portal, you should see an AUP or Success page that includes the Azure AD login username.

login success.png

Comments
Xeladona
Level 1
Level 1

Hi Greg,

 

i strictly followed your excellent guide.

From test portal it works fine but does not work from a client

It looks like browser do not send back to ise the succesful repsonse it gets from azure

 

here you can find my issue

 

https://community.cisco.com/t5/network-access-control/ise-guest-portal-and-azure-sso/td-p/4471193

 

any help would be appreciated

BeomYong Park
Level 1
Level 1

Your documentation has been a great help in testing ISE.

I have one question for you.

What is the license level of ISE required to apply this document?

Thanks

vincevalenti
Level 1
Level 1

@BeomYong Park, all you need is Essentials

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: