Introduction This document describes steps to configure Cisco Mobility Express AP (ME-AP) running version 8.7 to work with ISE 2.4 for guest access (CWA) and BYOD (Single-SSID). Mobility Express version 8.7 is the first version to support RADIUS CoA, RADIUS based URL-Redirect, and DNS based ACL which allows users to use advanced use cases with ISE. ME-AP 8.7 also automatically configures redirect ACL as well as advanced WLAN settings to work with ISE, thus simplifying the configuration process. This document will leverage smart default policy settings present in the ISE where possible. For more information about Cisco Mobility Express, please go to Mobility Express - Fast Wireless LAN Solutions for SMBs - Cisco   Prerequisites, assumptions, and caveats ME-AP capable of running 8.7 (This document uses CLI to bootstrap ME-AP and continues after there is IP connectivity to the ME-AP GUI) ISE 2.4 (Using 2.4, but should also work with previous version of ISE though UI will look different) with default settings Underlying network elements have been configured, including VLAN, DNS, DHCP, Routing, etc. ISE Secure Access Wizard does not support ME-AP   Configuration Overview Mobility Express AP Bootstrap Add ISE as RADIUS Configure CWA WLAN Configure BYOD WLAN ISE Add AP as NAD Add test employee user Modify BYOD profile with SSID name Modify default Authorization profiles Enable Policy set for CWA and BYOD   IP addressing and other network ID used in the document Use Value ISE 192.168.201.93 Mobility Express AP Management Interface 192.168.80.66 Endpoint Subnet 192.168.80.0/24 Guest SSID OPEN Employee/BYOD SSID SECURED   Mobility Express AP Bootstrap If the Mobility Express AP (ME-AP) has not been configured previously, go through the initial configuration either by connecting to the initial SSID or through the console port. Here is sample output from bootstrapping via console port: Bootstrap Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup   Enter Administrative User Name (24 characters max): admin Enter Administrative Password (3 to 127 characters): ********* Re-enter Administrative Password                 : *********   System Name [Cisco-2cd0.2d3f.8a80] (24 characters max): MEAP   Enter Country Code list (enter 'help' for a list of countries) [US]: 7   Management Interface IP Address Configuration [STATIC][dhcp]:   Management Interface IP Address: 192.168.80.66 Management Interface Netmask: 255.255.255.0 Management Interface Default Router: 192.168.80.1 Create Management DHCP Scope? [yes][NO]: Employee Network Name (SSID)?: PSK Employee Network Security? [PSK][enterprise]: Employee PSK Passphrase (8-63 characters)?: ******** Re-enter Employee PSK Passphrase: ******** Enable RF Parameter Optimization? [YES][no]: Client Density [TYPICAL][Low][High]: Traffic with Voice [NO][Yes]:   Configuration correct? If yes, system will save it and reset. [yes][NO]: yes Once ME-AP reloads, connect to the Web GUI and login using the credential entered via CLI   Add ISE as RADIUS server Switch to Expert View. This enables the UI to allow admin to add RADIUS servers to the ME-AP. Click OK on confirmation pop-up. Click on Management > Admin Accounts Click on RADIUS Scroll down and add RADIUS Authentication Server with ISE IP address and Shared Secret Repeat for RADIUS Accounting Server with same IP address and Shared Secret (Optional) Once RADIUS servers have been added, the expert mode can be turned off   Add Guest (OPEN) WLAN Go to Wireless Settings > WLANs (Optional) Delete WLAN created during bootstrap Click on Add new WLAN/RLAN Create Guest WLAN with following information General Tab Profile Name/SSID: OPEN WLAN Security Captive Network Assistant: Enabled Security Type: Central Web Auth Click on Add RADIUS Authentication Server and ensure ISE IP is shown and click apply. Repeat for RADIUS Accounting Server Make note of the ACL name shown for ‘CWA ACL Rule Name’. It should read ‘me_cwa_acl_redirect_#’. You will need to use the same ACL name in the ISE AuthZ Profile in later steps Click Apply   Add Employee/BYOD (SECURED) WLAN Click on Add new WLAN/RLAN Create Configuring Cisco Mobility Express AP with ISE with following information General Profile Name/SSID: SECURED WLAN Security Captive Network Assistant: Disabled Security Type: WPA2 Enterprise BYOD: Enabled Click on Add RADIUS Authentication Server and ensure ISE IP is shown and click apply. Repeat for RADIUS Accounting Server Make note of the ACL name shown for ‘CWA ACL Rule Name’. It should read ‘me_cwa_byod_acl_redirect_#’. You will need to use the same ACL name in the ISE AuthZ Profile in later steps Click on 'Pre Auth ACLs' Click on 'Add URL Rules' and enter following one at a time. This allows Android devices access to Google Play store to download ISE Network Setup Assistant App to assist in BYOD flow: .google.co accounts.youtube.com gstatic.com .googleapis.com .appspot.com ggpht.com gvt1.com market.android.com android.pool.ntp.org .googleusercontent.com .google-analytics.com Click Apply   ISE Add Mobility Express AP as Network Access Device (NAD) Go to Administration > Network Resources > Network Devices, click on Add Enter Name, IP address, and check 'RADIUS Authentication Settings' Enter matching Shared Secret configured on the Mobility Express AP in the earlier step and Click Submit   (Optional) Add test user Go to Administration > Identity Management > Identities, click on Add Enter Name and Login Password and click Submit   Modify BYOD profile This step reconfigures default BYOD profile with Employee/BYOD SSID of 'SECURED'. If using different name for employee SSID, then modify the name to match the SSID name used in the deployment. Go to Policy > Policy Elements > Results Click on Client Provisioning > Resources on the left menu Check 'Cisco-ISE-NSP' and click on Edit Check 'ISE' SSID Name and click on Edit Change 'SSID Name' to SECURED and click Submit Click Submit to save the Native Supplicant Profile   Modify Authorization profile We will be leveraging existing Authorization profile to simplify the steps. If default Authorization profiles are already in use, make a copy before modification. Also, if using copied Authorization profile, ensure that the policy set rules are using the copied Authorization Profile instead of the default ones in the next section. Go to Policy > Policy Elements > Results Click on Authorization > Authorization Profiles on the left menu Check 'Cisco_WebAuth' and click on Edit Under 'Common Tasks' area scroll down to 'Web Redirection' and replace the ACL with ACL value auto configured by Mobility Express AP in the previous steps for Guest WLAN Click Save Click on Authorization Profiles on the left menu Check 'NSP_Onboard' and click on Edit Under 'Common Tasks' area scroll down to 'Web Redirection' and replace the ACL with ACL value auto configured by Mobility Express AP in the previous steps for BYOD WLAN Click Save   Modify Policy Set Go to Policy > Policy Sets Click on '>' to expand Default Policy Set Expand Authorization Policy by clicking '>' Scroll down and Enable following Rules by clicking the 'Status' icon and selecting 'Enabled' Employee_EAP-TLS Employee_Onboarding Wi-Fi_Guest_Access Wi-Fi_Redirect_to_Guest_Login Click Save ... View more

In general it is recommended to minimize number of SSIDs. Also, if the guest access is using hotspot access then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time. With Single-SSID BYOD, the endpoint associates to a secure WLAN gets onboarded then after the endpoint automatically reconnects the endpoint is granted full network access via same WLAN. If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.     Single SSID Dual SSID Pros User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user intervention This is a unique capability of ISE where competitor solution forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal Some organizations prefer having a dedicated SSID for on-boarding devices. Can provide visible guidance to the user on the BYOD process before logging in Better security: User can confirm that the BYOD server is legitimate as the user does not get prompted to manually trust the EAP certificate ID Store is LDAP and cannot start with PEAP with MSCHAPv2 currently to LDAP store Wired deployment where cannot assume client already has 802.1X enabled on wired interface Can be configured to use secured SSID that is not broadcasting In the case of dual-SSID flow, BYOD portal can be configured to allow guest access if employee does not want to go through the BYOD flow Cons When end users connect to the SSID for the first time there is no easy way to validate whether server provided certificate is from the trusted source Fast-SSID change setting needs to be enabled on the WLC to accommodate iOS devices Others see dual SSID as an extra management burden. A second SSID adds channel overhead and may degrade wireless performance Requires iOS users to manually switch SSID ... View more

ISE can pull list of MAC addresses from the user DB such as AD, LDAP, SQL, or internal DB and compare it during authorization. This allows network admins to enforce user to specific endpoint for network access. Doing this via dynamic attribute has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to create 10 different MAC address mappings for 10 different users. In the traditional way, you would create 10 separate rules that reads “If User A, then match MAC address X”, “If User B, then match MAC address Y”… However, with dynamic attributes, you can simply create one rule that reads “If user attribute includes MAC address that is connecting, then permit access”. AD attributes can be pre-populated with list of MAC addresses and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for authorization and lastly confirm the operation. Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute which works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value. Note 2: Cisco device uses aa-aa-aa-aa-aa-aa format for the mac address in the Calling-Station-ID field. If trying this with 3rd party network device, you will need to find out which RADIUS attribute contains the MAC address and in what format it is being sent and store the MAC in that exact format in the directory attribute. Note3: If the PC has multiple interfaces, then need to add all interface MAC in to the attribute ... View more

ISE can pull VLAN (Or iPSK) attributes from the user DB such as AD, LDAP, SQL, or internal DB and assign it during authorization. This has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to assign 10 different VLANs for 10 different set of users. In the traditional way, you would create 10 separate rules that reads “If User A, then assign VLAN 10”, “If User B, then assign VLAN 20”… However, with dynamic attribute, you can simply create one rule that reads “If user authenticates, then assign AD attribute as VLAN ID”. AD attributes can be pre-populated with VLAN name or ID and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for VLAN assignment and lastly confirm the operation. I am using WLC as an example, but the same works with Catalyst switches as well. Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute and works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value. Note 2: The VLANs needs to be created on the the WLC or the switch prior to the VLAN assignment. Also, SVI and DHCP needs to be be configured for the VLAN or else the endpoint will not be able to get an IP address assigned Note 3: The same can be done for iPSK by extending the endpoint DB. Simply create a new string attribute to store iPSK value and call upon the value during the authorization. Go to 'Administration > Identity Management > Settings > Endpoint Custom Attributes' and create a String type attribute called iPSK. Go to context visibility and for each endpoints populate the iPSK attribute value in the following format 'psk=XXXXX'. ... View more

  Introduction Note: Starting with Chromebook v66, it is possible to do SSO for 802.1X. Please see Chromebook 802.1X SSO for more information. Chromebooks have become a dominant platform for much of the K-12 environment in the US. While it makes great sense for the district management to choose Chromebooks over other platforms, it presents a unique problem for the network/security administrators that are managing the network security for the school districts. The challenge is that there is no easy way to enforce each of the Chromebook to use unique identification to login to the network. In the case of MS Windows, one could force the O/S to utilize the Windows login account to be used for Network login, which provides SSO for the users, yet also provides visibility of users to the network administrators. However, with Chromebooks, there is no way to do the same as evident from the issue being tracked here: https://bugs.chromium.org/p/chromium/issues/detail?id=386606. To circumvent the issue, some admins have resorted to instruct the users to connect to the wireless network manually themselves after they receive their Chromebook. While feasible, it only works in an environment where the Chromebook are assigned to a student for a prolonged period and does not work for environments where the Chromebook are shared by multiple students throughout the day, not to mention that password expiry policy often results in additional support calls from the students. Alternatively, some admins have used WPA/WPA2 PSK (Pre-Shared Key) or static username/password combination to authenticate to the network, forfeiting network visibility as every Chromebook logon is seen identical aside from the MAC addresses. Due to lack of visibility, admins cannot effectively enforce differentiated policies based on user accounts nor they can easily track down a user when policy violation occurs on the network nor they can track down an asset for inventory purposes. ISE provides unique solution to the problem by utilizing SAML Guest authentication feature to identify user behind the devices, thus providing visibility into the users for the network and security administrators. This is done by utilizing Open SSID, WPA/WPA2 PSK, or WPA/WPA2 802.1X combined with SAML guest authentication with ISE. In this setup, ISE Guest portal is used as SAML Sp (Service Provider) and the Google Suite is used as IdP (Identity Provider).   This document describes how to configure Cisco ISE to provide SSO on the ISE guest access portal via Google Suite account via SAML. This allows network administrators to see who is logged in to the network on both the WLC and the ISE. Also contains optional configurations to streamline the user experience by auto pop-up of browser upon login and auto-click of the SSO link. This document covers additional configuration to make the Chromebook SSO working on an existing guest setup and will utilize default ISE settings when applicable.   Prerequisite Already have working Google Suite with test users Fresh ISE 2.2 install (This document was written while testing with ISE 2.2, but should also work with ISE 2.1) Working WLC with CWA Guest access running 7.6+ for DNS ACL feature (Preferably running 8.2+ as it provides 20 DNS ACE per ACL as opposed to 10 ACE in the previous versions)   Configuration Overview ISE: Add WLC as RADIUS Client ISE: Enable Default Authorization Policy for guest access ISE: Create SAML identity source ISE: Create Guest portal to use SAML ISE: Take note of SAML Sp settings G-Suite: Create SAML App to use ISE ISE: Import G-Suite SAML metadata into ISE SAML identity store WLC: Configure RADIUS Server WLC: Configure Redirect ACL WLC: Configure WLAN   Quick video showing the configuration flow:   ISE: Add WLC as RADIUS Client Go to Administration > Network Resources > Network Devices > Add Provide Name, IP Address, and the RADIUS shared key for the WLC and save   ISE: Enable Default Authorization Policy for guest access Go to Policy > Authorization Click on 'Edit' for 'Wi-Fi_Guest_Access' and 'Wi-Fi_Redirect_to_Guest_Login' rule. Click on the status field to mark both rules to be active (Optional) If using 802.1X WLAN, add an additional condition for 'WiFi_Guest_Access' rule to check 'CWA:CWA_Username' Ends With the Google domain name that is being configured (I.e. wonderlandisd.org). This ensures both 802.1X identity and the SAML (WebAuth) identity are visible in the live log and via pxGrid. Click Save     ISE: Create SAML identity source Go to Administration > System > External Identity Sources > SAML Id Providers, click on Add Enter ‘Google_SAML’ in the Id Provide Name, click Save   ISE: Create Guest portal to use SAML Go to Work Centers > Guest Access > Portals & Components > Guest Portals, click on Create Select Sponsored-Guest Portal and click Continue… Enter Google_SSO in the Portal Name Expand Portal Settings, select Google_SAML from the Authentication method pull down menu Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’ Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’ Expand Post-Login Banner Page Settings, uncheck ‘Include a Post-Login Banner Page (Optional) Expand Authentication Success Settings, change accordingly to send user after the SSO is completed Scroll up and click Save Click Close to go back to the list of Guest Portals Click on the Self-Registered Guest Portal (default) Expand Login Page Settings, Uncheck ‘Allow guests to create their own accounts’, Check ‘Allow the Following identity-provider guest portal to be used for login’ and select Google_SSO from the drop down list Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’ Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’ Scroll up and click Save   ISE: Take note of SAML Sp settings Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML Click on Service Provider Info. tab Click on Export button Save the ‘Google_SAML.zip’ file With the file manager on your PC/OSX, expand the ‘Google_SAML.zip’ file Use notepad or text editor and open up the Google_SSO.xml file Take note of the two values; entityID and Location. Location value is multi-valued. Take note of the Location value with the host name instead of IP address. See below for example: entityID=" http://CiscoISE/4a089df2-3ede-11e7-97dd-0242ebf188ae " Location=" https://ise22.example.com:8443/portal/SSOLoginResponse.action "   G-Suite: Create SAML App to use ISE Logon to the Google Suite account as a google admin user From Home, go to Apps > SAML Apps > Click on ‘+’ Select ’SETUP MY OWN CUSTOM APP’ on the bottom Click on ‘Download’ button user Option2, IDP metadata Save the file to the local HDD, we will import this into ISE SAML settings Click Next Enter ISE-Guest as application name and click NEXT For ACS URL, enter the ‘Location’ value that was noted from the Google_SAML.xml file above For Entity ID, enter the ‘entityID’ value that was noted from the Google_SAML.xml file above Click NEXT, then FINISH Click OK on the pop up Select the 3 dot icon and choose ‘ON for everyone’ Click ‘TURN ON FOR EVERYONE’   ISE: Import G-Suite SAML metadata into ISE SAML identity store Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML Click on Identity Provider Config. tab Click on Choose File button Select IDP Metadata that was downloaded from the Google Suite during the step above Click Save   WLC: Configure RADIUS Server Go to Security > AAA > RADIUS > Authentication > New... Enter server IP, RADIUS key, Enable CoA, and change the server timeout to 5 seconds and click Apply Go to Security > AAA > RADIUS > Accounting > New... Enter server IP, RADIUS key, and change the server timeout to 5 seconds and click Apply   WLC: Configure Redirect ACL Go to Security > Access Control Lists > Access Control Lists > New Enter 'ACL_WEBAUTH_REDIRECT' for the name and click Apply Click on 'ACL_WEBAUTH_REDIRECT' Click on 'Add New Rule' and add ACE to allow DNS and access to ISE node (See below example), click Apply     Hover mouse next to the 'ACL_WEBAUTH_REDIRECT' and select 'Add-Remove URL' Add following entries one by one and click on 'Back' .google.co accounts.youtube.com gstatic.com .googleapis.com .appspot.com ggpht.com market.android.com android.pool.ntp.org .googleusercontent.com .google-analytics.com   WLC: Configure RADIUS Server Go to WLANs > Select 'Create New' and click on 'Go' Add profile name and SSID name Click on Apply Check Enabled for Status Select appropriate interface Click on 'Security' tab under WLAN Select 'None' for the Layer 2 Security (Optional) If running WLC 8.3+ and would like to use WPA/WPA2 PSK to encrypt traffic on the WLAN, select WPA+WPA2 for the Layer 2 Security Select 'MAC-Filtering' (Optional) If WPA+WPA2 was selected previously, select PSK for Authentication Key Management and enter PSK for the WLAN in the PSK Format area Select 'AAA Servers' tab Select RADIUS server that was added to the WLC in the previous step for both Authentication and Accounting servers Click 'Advanced' tab under WLAN Check AAA Override For NAC State, select ISE NAC (or RADIUS NAC for older version of WLC) Check DHCP Profiling and HTTP Profiling for 'RADIUS Client Profiling' Click Apply   Optional Configurations for better end user experience Following three settings can be used to provide better user experience by allowing the SAML flow to be auto initiated when the user logs in to the Chromebook. The first optional setting forces auto SSO by opening up a browser window upon a user logging in to the Chromebook. The second optional setting provides auto clicking for the SSO link using a javascript. And, the third optional setting ensures the ISE guest portal page certificate is trusted by the Chromebook in case ISE self-signed certificate is used. Last step is optional if 3rd party CA signed certificate is used for the portal.   Make browser auto popup when user signs in to the Chromebook Logon to the Google Suite account as a google admin user From Home, go to Device Management > Chrome > User Settings Scroll down to the 'Startup' section and locate the 'Pages to Load on Startup' setting and enter any http (Non-secure) site that is not part of google domains (i.e. http://www.cisco.com ) Click Save   Hide login portal and auto click SSO link Logon to the ISE GUI Go to Administration > System > Admin Access > Settings > Portal Customization Select ‘Enable Portal Customization with HTML and JavaScript’ and click Save Go to Work Centers > Guest Access > Portals & Components > Guest Portals Click on the Self-Registered Guest Portal (default) Click on the Portal Page Customization on the top Select Pages > Login from the left side and go to the section that shows ‘Google_SSO’ Check the ‘as link’ next to the ‘Alternative Login Portal’ Click on ‘X’ right next to the Icon to remove the icon Under Optional Content 2 box Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area Paste in following Javascript <script> $(document).ready(function(){ $('#idp-login-link-text-container').trigger('click'); $('[id="page-login"]').hide(); }); </script> Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area again, the script will disappear (But it is still applied. If applied correctly the preview pane on the right hand side will show that the page is blank) Scroll up and click Save   Make Chromebook trust ISE Self-Signed certificate Logon to the ISE GUI Go to Administration > System > Certificates > Certificate Management > System Certificates Click on Generate Self Signed Certificate Select DNS Name for ’Subject Alternative Name (SAN)’ and enter the ISE host name in the box Select 2048 for Key length and SHA-256 for Digest to Sign With Check Portal: Use for Portal Select ‘Default Portal Certificate Group’ Click Submit Select Yes when prompted to replace existing certificate ISE node will be restarted to use the new certificate Once ISE is back up, login to the Admin GUI Go to Administration > System > Certificates > Certificate Management > System Certificates Check the certificate that is shown as used by ‘Portal’ and click 'Export' Leave setting as ‘Export Certificate Only’ and Click Export Save it to the local HDD. We will import this certificate into the Google Suite Logon to the Google Suite account as a google admin user Go to Device Management > Device Settings > Network Click Certificates Click Add Certificate Select the one exported from ISE in step above Check 'Use this certificate as an HTTPS certificate authority' check box Click Save   Optional Configurations for group/attribute matching At the time of writing, the Google IdP cannot include group information in the SAML assertion. As a workaround, following settings can be used to configure the G-Suite to send user attribute during SAML flow where ISE can be configured to utilize it for authorization condition. It is useful if one needs to provide differentiated access to certain groups of users. For instance, students are assigned an ACL or a security group tag that is different from faculty members. Note: Currently SAML assertion for group/attribute patching is possible when the WLAN is configured as Open or WPA/WPA2 PSK.   Configure G-Suite to include additional attribute during SAML flow Logon to the Google Suite account as a google admin user From Home, go to Apps > SAML Apps > Click on 'ISE-Guest' Click on 'Attribute Mapping' Enter Department, Select 'Employee Details', then select 'Department' Click Save   Configure ISE to map the attributes to ISE attributes Logon to the ISE GUI Go to Administration > System > External Identity Sources > SAML Id Providers, click on 'Google_SSO' Click on 'Groups' tab Enter 'Department' in the 'Group Membership Attribute' box Click on 'Add' below and add Department names used in the G-Suite Below Showing few examples Click Save. The newly added Authorization condition is now available in the policy rules.   Troubleshooting Common issues Chrome browser complains about the certificate Make sure the ISE portal certificate is using SHA256 and includes a SAN field. ISE default installation uses SHA1, so if using self-signed certificate, one has to issue a new certificate Check chrome policy to ensure that it is using latest policy On the client PC, in the URL bar, enter ‘chrome://policy’ If the policy is stale, click on ‘Reload Policies’ button to renew policy When SSO link/button is clicked, the user gets Application is not enabled error Validate that the Chromebook being used is being managed by the G-Suite Validate that the user is using the managed user account that is member of the domain After enabling SAML on the G-Suite, it may take 24 hours to propagate the settings to all users. Even for small organization, it may take 30 minutes Validate SAML setting between ISE and G-Suite SAML App If the SSO link/button is visible but unclickable Validate SAML IdP setting on the ISE. It should look similar to the following   Debugging Enable debug guestaccess, portal-web-action Enable trace for SAML Open two separate SSH access to ISE and run terminal length 0 show logging application ise-psc.log tail and on the second SSH terminal length 0 show logging application guest.log tail   Caveats Shared Chromebook At the time of writing the Google as SAML IdP doesn't support logout. Thus, when multiple users are sharing the same Chromebook as is with the case in many K-12 environments, there is a opportunity that when the time between the first user logging off and a second user logging is too short, the second user may assume the identity of the first user in the ISE and WLC view. This does not mean the second user has access to google apps and resources. If one needs to minimize the possibility of such incidents, one can reduce the idle timeout for the WLAN to be short enough to clear out the sessions while the Chromebook is transferred to new student during class breaks. In addition to the short idle-timeout, multiple sign-in access setting on the G-Suite needs to be setup accordingly. The setting can be changed by logging into the G-Suite and going to 'Device Management > Chrome > User Settings > User Experience > Multiple Sign-in Access' settings.   End User Experience Without Optional Configuration User enters google ID to log in to the Chromebook ( Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login) Once on the desktop, user opens up a browser window and tries to go to a non Google related site (If using the automated JS in the optional section above, this and the next 2 steps happens automatically when user logs in to Chromebook) User is redirected to ISE portal page User clicks on SSO link/button SAML completes and user is presented with Success page User now has Internet access   With Optional Configuration User enters google ID to log in to the Chromebook ( Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login) Browser auto pops-up upon login and SAML completes and user is presented with Success page User now has Internet access   ISE Live Log           ... View more

  Here I am listing top ten settings I check for when looking at a customer’s IOS switch settings when integrated with ISE. The ten settings listed below doesn’t cover the full configuration to work with ISE, rather these are common settings that are either missing or mis-configured which could have negative impact. For complete configuration how-to please go to the following link: ISE Secure Wired Access Prescriptive Deployment Guide     Disable syslog (Global Configuration)   There is a feature on ISE where ISE correlate syslog from access switches to the RADIUS live log on the ISE. It provides admin user a single view of what is going on with the session without having to correlate data from ISE and the switch manually. While nice to have feature, in general it causes MnT node to store additional data and also process the syslog requests that may not be related to the authentication events that ISE is interested in. It is recommended to not use this feature beyond the initial PoC phase to iron out the authentication issues. Look for the following lines, and remove them from the switch config: SWITCH(config)#no logging host {ISE_MnT} transport udp port 20514     Disable SNMP trap (Global Configuration)   There are two ways ISE utilizes SNMP for profiling. One way is to let ISE poll the switch due to an event or periodically, and second way is to let the switch send SNMP trap to the ISE PSN node to let ISE know that there is an endpoint on port X/Y/Z with HH:HH:HH:HH:HH:HH MAC address. This is important information to the ISE node, as it can be used to trigger the SNMP polling to get additional profiling attributes as well as locating the endpoints not he network. However, when switches are configured with 802.1X/MAB, one of the requirement is to configure RADIUS Accounting. So it happens that the RADIUS Accounting already includes the same information that SNMP trap can provide. The other benefit is that you are minimizing the duplicate information and avoid PSN ownership change of an endpoint, which reduces replication traffic among the nodes. SNMP trap can be safely disabled for ISE PSN profiling purpose, and can be done by removing SNMP trap related configuration that points to the ISE PSN nodes: SWITCH(config)#no snmp-server host {ISE_PSN}     RADIUS accounting interval (Global Configuration)   Interim accounting is an important piece of message for ISE to maintain session table. If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session for that endpoint. This would mean that ISE thinks an endpoint is no longer connected to the network while the switch shows the endpoint still connected. Also, ISE cannot manage the device via CoA (Change of Authorization) as session is not maintained on ISE. To avoid this, ensure that the RADIUS Accounting is sent to the ISE node every 2 days using the following command: SWITCH(config)#aaa accounting update newinfo periodic 2880     RADIUS deadtime (Global Configuration)   This setting controls how long the RADIUS server is marked as down when it doesn’t respond to RADIUS requests. The default setting is ‘0’ minutes, which means the same server that didn’t respond will be marked alive right after it was marked down. It should be used when there are two or more RADIUS servers or if one wants to fail-open the port when there are no RADIUS servers available. Following command will mark the servers down for 15 minutes when dead-criteria is met: SWITCH(config)#radius-server deadtime 15     Redirect ACL (Global Configuration)   When the switch is configured for CWA, it uses an ACL to match which traffic to redirect or not. The work is done by the CPU and on a switch with high density ports, it could cause unnecessary load on the switch CPU. Simply craft the redirect ACL to match on TCP/80 & TCP 443 and use dACL to deny traffic that is not filtered by the redirect ACL. ACL similar to the following can be used: SWITCH(config)#ip access-list extended ACL_WEBAUTH_REDIRECT SWITCH(config-ext-nacl)#deny udp any host {DNS_SERVER} eq domain SWITCH(config-ext-nacl)#deny udp any any host {DHCP_SERVER} bootps SWITCH(config-ext-nacl)#permit tcp any any eq www SWITCH(config-ext-nacl)#permit tcp any any eq 443 Note: When web request is HTTPS request and redirected via HTTPS, it utilizes CPU on the Catalyst switch. Certain Catalyst switch platforms lack resource to process HTTPS redirect and may cause high CPU. For posture, AnyConnect posture module can use HTTP (TCP/80) to find the ISE node, so HTTPS is optional and can be disabled by either removing the 'permit tcp any any eq 443' from the ACL or disabling HTTPS server using 'no ip http-secure server' command. Selective use of dACL on a single interface (Global Configuration)   Let’s say that you have several different types of devices connecting to the same interface and some devices are configured to get dACL from ISE while some are not. For instance, you may configure dACL for PC while no dACL is used for IP Phones. As you test different devices on the network you notice that when you connect a PC behind the IP phone, the IP phone loses connectivity to voice gateway until you unplug the PC. You suspect the dACL so you temporarily change the PC dACL to ‘permit ip any any’ to ensure access from any devices on the port, but the problem persists. Then you decide to use ‘permit ip any any’ dACL for the IP phone as well, and now the IP phone does not get disconnected from the voice gateway when the PC is connected behind it. This is also true when a hub is used to authenticate multiple devices behind a single switch interface. If you have devices already connected and authenticated via hub without dACL and a new device connects with a dACL, then all of the previously connected devices will lose connectivity to the network as the dACL is only permitted from the endpoint assigned to it and not for the other endpoints on the same interface. There are two main options to address this. One option is to ensure dACL is applied to every permission that will be sharing the same physical port or simply run the following global command, which will dynamically insert ‘permit ip host x.x.x.x any’ in case there is no ACL attached to the session and another device is being connected to the same port with a dACL. SWITCH(config)#epm access-control open   Reauth (Session) or idle timeout (Interface Configuration) In general, reauthentication timer and idle timer is not recommended. If there is a need for such timers, it is recommended to send down the value via RADIUS from the ISE instead of hardcoding the value on the switch. SWITCH(config-if)#authentication periodic SWITCH(config-if)#authentication timer reauthenticate server SWITCH(config-if)#authentication timer inactivity server dynamic   802.1X and MAB ordering (Interface Configuration)   Like I stated at the start of this document, given the choices, unless one provides greater value I recommend using the default value. 802.1X & MAB ordering is more subjective than the other settings, but in general leaving the default order of 802.1X and MAB is recommended. SWITCH(config-if)#authentication order dot1x mab   There may be some cases where doing MAB first is preferred to ensure that devices are getting ip addresses via DHCP server without delay. However, when periodic reauthentication is used with MAB first, the 802.1X authenticated device will be MAB authenticated per ordering of MAB and 802.1X during reauthentication. In order to avoid MAB upon reauthentication for 802.1X devices, you can send down VSA to ensure 802.1X is reauthenticated without going through the MAB first. You can add following VSA to the authorization profile: ‘cisco-av-pair = termination-action-modifier=1’. When using the VSA ensure that the reauthentication timeout is sent by the RADIUS server as opposed to setting it statically on the interface. SWITCH(config-if)#authentication order mab dot1x SWITCH(config-if)#authentication priority dot1x mab     Setting the correct tx-period (Interface Configuration)   If using the default order, endpoints that are not doing 802.1X would need to wait for the 802.1X process to timeout, which takes time as the switch tries 3 times with 30 second wait time with default settings. This equates to 90 seconds of delay in getting the IP address via DHCP from the point the endpoint receives signal on the port. Many endpoints will give up within a minute and will require the endpoint to manually request the IP address. In order to avoid it, it is recommended to reduce the tx-period from 30 seconds to 5 - 10 seconds. SWITCH(config-if)#dot1x timeout tx-period 7     Port-security + 802.1X/MAB (Interface Configuration)   Port-security feature allows one to tie the MAC address of the endpoint to the switch port for security purposes, but it does not play well with 802.1X. Also, much of what port-security provides in terms of security, can be provided by 802.1X & MAB. One exception is enforcing number of MAC on a given port, which is possible with port-security, but not with 802.1X/MAB. Any port-security commands should be removed from the interface to avoid authentication issues. SWITCH(config-if)#no switchport port-security   Trunk interfaces and ip device tracking (Interface Configuration)   We require ip device tracking to be enabled on the switch and it could cause MAC flapping on the trunked interfaces. Following command can be entered on the uplink trunked ports to disable ip device tracking on the trunked interfaces: SWITCH(config-if)#ip device tracking maximum 0     Fail Open port (Interface Configuration)   This is a common mis-configuration on the interface for the Fail-open/close (AKA critical authentication). Depending on whether the host-mode is set to multi-auth or multi-domain, different fail-open/close VLAN command should be used. When wrong commands are entered, the interface will not fail-open/close: //For Muti-Domain mode port SWITCH(config-if)# authentication host-mode multi-domain SWITCH(config-if)# authentication event server dead action authorize {Optional VLAN ID if different from interface access VLAN} SWITCH(config-if)#authentication event server dead action authorize voice SWITCH(config-if)#authentication event server alive action reinitialize   //For Muti-Auth mode port SWITCH(config-if)# authentication host-mode multi-auth SWITCH(config-if)# authentication event server dead action reinitialize vlan {Mandatory fail-open/close VLAN ID} SWITCH(config-if)#authentication event server dead action authorize voice SWITCH(config-if)#authentication event server alive action reinitialize With multi-auth and reinitialize, let’s say there are 5 devices already connected to a single switch interface on VLAN 20. No impact to 5 devices, until a new device connects to the same interface during the server dead event. When new device connects and no AAA server available, then the interface will reinitialize to VLAN 50 per configuration below. At this point all 5 + 1 devices are on VLAN 50. In general for fail-open one would configure same VLAN for access VLAN and reinitialize VLAN to minimize user impact.    Note: This is no longer the case with newer Catalyst platforms. Please review Inaccessible Authentication Bypass section of the Advanced ISE tips to make your deployment easier document   ... View more

I favor default settings when it comes to device configurations. What I mean is that I try not to change any of the default settings on the system unless that change provides major benefit to the deployment. In general default settings are default for a reason, but as we all know there are some default settings that are set with such values due to backwards compatibility during upgrades. I often get asked to provide sanity check on customer’s configuration of Secure Access related components. This includes ISE settings, Switch settings, and WLC settings. Of course there is no one size fits all but I am hoping the settings I list here will provide good guidance to provide stable Secure Access environment. Six Cisco WLC settings for ISE integration Ten Cisco IOS Switch settings for ISE integration Five ISE configuration tips (Coming Soon!) ... View more