We do not provide a PDF of this document. For an offline copy of this document, simply create your own PDF using File > Print then Save as PDF on your local computer. Introduction Cisco Catalyst 9800 (C9800) series wireless controller running 16.10.1 has feature parity with AireOS 8.8, which means that all the feature that works between AireOS & ISE also works between C9800 & ISE. However, the configuration of C9800 is different from AireOS and this document shows how to configure C9800 to work with ISE. For more information on Cisco Catalyst 9800 series, please go to: https://www.cisco.com/c/en/us/products/wireless/catalyst-9800-series-wireless-controllers/index.html Setup Components used: WLC: Catalyst 9800-CL running 16.10.1 AP: Cisco 1815i ISE: 2.4p3 (Previous versions of ISE should work with C9800 as well)   The document does not cover details on how to bootstrap the ISE, C9800, and AP. The document assumes the C9800 is accessible from the management PC and AP is associated to the C9800. The document also assumes underlying network elements are already configured, which includes, VLANs, SVIs, Subnets, DHCP, routing, and DNS. The following diagram and table shows settings for the components. C9800 IP 192.168.201.61 ISE IP 192.168.201.93 DNS IP 192.168.201.71 OPEN SSID OPEN SECURE SSID SECURE Guest VLAN 30 Guest Subnet 192.168.30.0/24 User VLAN 10 User Subnet 192.168.10.0/24   Notes: If static ACL needs to be applied to a session, use AireSpace-ACL-Name (6) attribute to send down a ACL name. The ACL needs to be pre-created on C9800 C9800 supports dACL for central switching If dVLAN needs to be applied to a session, use AireSpace-VLAN-Name (5) attribute to send down a VLAN name/ID. The VLAN needs to be pre-created on C9800. Alternatively standard RADIUS 3 tuple attributes can be used for VLAN assignment using VLAN name/ID Redirect ACL follows Catalyst IOS syntax instead of AireOS syntax. So permit statement means the matching traffic is redirected, while deny means it will be allowed without redirect With local mode, unlike AireOS, DNS ACL entries are not tied to the redirect ACL. URL entries needs to be defined in the URL Filters and called upon via separate RADIUS attribute during the authentication. More information on this at the end of the document on ISE section. With FlexConnect mode, URL filter is tied to the redirect ACL within the flex profile, so URL filter does not need to be called upon via separate RADIUS attribute   Catalyst 9800 Configuration Following diagram shows the C9800 configuration at a high level. Each box represents individual configuration profile with relevant options shown and how each profile feeds into other profiles to make a working configuration. The bullet points within the profile that are in bold represents sub profile being fed into the profile. It also includes the suggested order to create the profiles that maps to the main section of the document.   Steps 1 - 3: Define AAA   Go to Configuration > Security > AAA > Servers / Groups > Servers, Click Add Enter following information (Any configuration not defined in the table assumes default settings): Name ISE01 IP 192.168.201.93 Key ***** (Match with ISE) Support for CoA Checked Click Server Groups, Click Add Enter following information: Name ISE Available Servers ISE01 Go to Configuration > Security > AAA > AAA Method List > Authentication, Click Add Create Authentication list using following information that will be used for both OPEN SSID and SECURE SSID: Name default Type dot1x Group-Type Group Available Server Groups ISE Note: If clients are failing to associate and authentication request does not show up on ISE Live Log, try setting the authentication list name to 'default' as shown above. Go to Configuration > Security > AAA > AAA Method List > Authorization, Click Add Enter following information for AAA Authorization list that will be shared for both SSIDs: Name default Type Network Group-Type Group Available Server Groups ISE Note: The Authorization name 'default' is significant here since there is no Authorization list that can be defined within the 802.1X WLAN. By using 'default' as name, C9800 can use the ISE to get additional authorization details such as for dACL operation. If default authorization list cannot be used or desired, then named authorization can be created and can be referenced via RADIUS server as a Cisco VSA. The Cisco VSA to use is 'Method-List={authorization-method-list}', which can be configured in ISE advanced Attribute Settings. Please see examples at the end of the document. Go to Configuration > Security > AAA > AAA Method List > Accounting, Click Add Enter following information for AAA Authorization list that will be shared for both SSIDs: Name default Type Identity Available Server Groups ISE   Step 4: Create Webauth Parameter Map (Required for BYOD) This will only be used in the SECURE SSID to suppress Apple CNA (AKA mini browser) from popping up upon association to the WLAN. This is required as the Apple CNA is unable to fulfill the BYOD onboarding flow. Go to Configuration > Security > Webauth > Webauth Parameter Map, Click Add Enter Name ‘Captive-Bypass-Portal, Click Apply to Device Click ‘Captive-Bypass-Portal’ parameter map from the list Check Captive Bypass Portal, Click Update & Apply   Step 5: Create VLANs Go to Configuration > Layer 2 > VLAN > VLAN, Click Add Add two VLANs using following table for User VLAN and Guest VLAN. These VLANs will be mapped to SECURE SSID and OPEN SSID respectively using policy profiles and tags: VLAN ID 10 30 Name User Guest State Activated Activated Port Members Gi2 Gi2 Click Save & Apply to Device   Step 6: Create WLANs Go to Configuration > Tags & Profiles > WLANs, Click Add Add WLANs using following table for OPEN WLAN and SECURE WLAN. These WLANs will be mapped to the AP using tags (Any configuration not defined in the table assumes default settings): General Profile Name OPEN SECURE   SSID OPEN SECURE   Status Enabled Enabled Security > Layer 2 Layer 2 Security Mode None WPA + WPA2   MAC Filtering Enabled     Authorization List default   Security > Layer 3 Webauth Parameter Map   Captive-Bypass-Portal Security > AAA Authentication List default default Note: There is no reference to Authorization List for 'SECURE' SSID. This is not an issue for AAA override operation that applies authorization directly from RADIUS ACCESS-ACCEPT response. However, this is an issue for applying dACL as it requires additional RADIUS communication which requires authorization list. To address this issue, either use special name 'default' as authorization list as configured above or configure ISE to send Cisco VSA 'Method-List={authorization-method-list}' with ACCESS-ACCEPT when dACL is used. See ISE section below for more information. Click Save & Apply to Device Step 7: Create Policy Profiles Go to Configuration > Tags & Profiles > Policy, Click Add Add Policy Profiles for both WLANs using following table. Policy profile covers device sensor, default VLAN, CoA, and RADIUS Accounting. Since VLANs are different, two profiles are created one for each WLAN. These profiles will be mapped to the WLANs using tags (Any configuration not defined in the table assumes default settings): General Name Guest User   Status Enabled Enabled Access Policies HTTP TLV Caching Checked Checked   RADIUS Profiling Checked Checked   DHCP TLV Caching Checked Checked   VLAN/VLAN Group Guest User   URL Filters (Pre Auth)   BYOD-URL-Filter Advanced Allow AAA Override Checked Checked   NAC State Checked Checked   Accounting List default default Click Save & Apply to Device   Step 8: Create Policy Tag Go to Configuration > Tags & Profiles > Tags, under Policy Click Add Enter Name: ISE Enabled Within the 'ISE Enabled' Tag window, click Add to map following WLANs to matching policy profiles. This ties the WLAN to the respective Policy Profile. WLAN Profile Policy Profile OPEN Guest SECURE User Click Save & Apply to Device   Step 9: Assign Policy Tag to AP Finally, apply the tag to the AP. This section shows instructions on tying it to a single AP. Using Advanced Wireless Setup Wizard on C9800, same tag can be applied to multiple APs at the same time. Go to Configuration > Wireless > Access Points Click on the AP Name or MAC address Under General > Tags, Select 'ISE Enabled' Click Update & Apply to Device   Step 10a: Create Redirect ACL for Guest flow Go to Configuration > Security > ACL, Click Add Use ACL Name: ACL_WEBAUTH_REDIRECT For ACL Type, select IPv4 Extended Enter following rules in the ACL for Guest only access redirect ACL Sequence Action Source IP Destination IP Protocol Source Port Destination Port 10 deny any 192.168.201.93 tcp   eq 8443 20 deny any 192.168.201.71 udp   eq domain (53) 30 permit any any tcp   eq www (80) Click Save & Apply to Device   Step 10b: Create Redirect ACL for BYOD flow Enter following rules in the ACL for Guest and BYOD (Sequence 20 is needed for any endpoints using Network Setup Assistant for BYOD) Sequence Action Source IP Destination IP Protocol Source Port Destination Port 10 deny any 192.168.201.93 tcp   eq 8443 20 deny any 192.168.201.93 tcp   eq 8905 30 deny any 192.168.201.71 udp   eq domain (53) 40 permit any any tcp   eq www (80) Click Save & Apply to Device   Step 11a: Create URL Filter for BYOD flow Unlike AireOS which allows DNS entries to be part of redirect ACL, separate URL filter have to be created and be called upon via RADIUS attribute from ISE to permit access to Internet hosts using FQDNs. Go to Configuration > Security > URL Filters, Click Add Add URL Filter using following table (Example here is to allow access to Google Play store for BYOD): Name BYOD-URL-Filter Type PRE-AUTH Action Permit URLs *.google.com accounts.youtube.com gstatic.com *.googleapis.com *.appspot.com ggpht.com gvt1.com market.android.com android.pool.ntp.org *.googleusercontent.com *.google-analytics.com Note: The PRE-AUTH URL filter always works as if the 'Action' is Permit regardless of whether it is setup as Permit or Deny. Click Save & Apply to Device   Step 11b: Create URL Filter for Social Network Guest access - Facebook Go to Configuration > Security > URL Filters, Click Add Add URL Filter using following table (Example here is to allow access to Facebook OAUTH2 login for Guest access): Name Guest-URL-Filter Type PRE-AUTH Action Permit URLs *.facebook.com *.akamai.com *.fbcdn.net *.akamaihd.net Click Save & Apply to Device   ISE Configuration Authorization Profile with URL Filter Policy Setup on ISE is identical to the one for AireOS controller aside from the URL ACL that needs to be defined as separate RADIUS attribute. This is done by sending Cisco VSA "url-filter-preauth={URL_Filter_Name}". Here is an example of ISE Authorization profile for BYOD that allows Android devices to access the Google play store using the pre-auth URL filter defined above. Note the Cisco AV pair defined in the 'Advanced Attribute Settings' section.   Authorization Profile with dACL using AAA 'Method-List' Cisco VSA As noted above in AAA section, to support dACL, authorization method list name should be set as 'default'. Alternatively, you can choose to use other names for authorization method list, however, doing so requires specifying authorization method list using RADIUS attribute. Here is an example of applying dACL by sending down authorization method list 'ISE-AUTHZ' within the ISE authorization profile. Note that the Cisco VSA 'Method-List' is case sensitive.     For rest of the ISE configuration, please use following guide for rest of the ISE configurations: Guest: https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475 BYOD: https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867 Posture: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273   Catalyst 9800 Configuration for FlexConnect Local switching This section describes additional configuration needed to configure the WLAN as FlexConnect Local switching and integrate it with ISE. This section will utilize existing configurations made above.   Modify Policy Profile Go to Configuration > Tags & Profiles > Policy, Click profile name that maps to the WLAN to change to local switching Under WLAN Switching Policy section, uncheck Central Switching Click Update & Apply to Device Repeat above steps for other policy profiles that maps to the WLANs to be converted to local switching   Create Flex Profile Go to Configuration > Tags & Profiles > Flex, Click Add Add Flex Profile using following table General Name Flex   Policy ACL ACL Name ACL_WEBAUTH_REDIRECT     Central WebAuth Checked     Pre Auth URL Filter (If this is for BYOD, select BYOD-URL-Filter, else blank)   VLAN VLAN Name User Guest   VLAN Id 10 30 Note: When 'Central WebAuth' is checked, the C9800 automatically creates a Flex ACL that is in reverse of selected redirect  ACL. The permit statements are changed to deny and deny statements are changed to permit. This is due to differences between the two redirect ACL types and slight modification is needed on the ACL to make it work with FlexConnect mode. This option should only be checked for ACL that is going to be used for redirect purpose and for post-authentication ACL, this option should not be checked. See ACL section below for more information. Click Save & Apply to Device   Create Site Tag Go to Configuration > Tags & Profiles > Tags, Click Site, Click Add Add Site Tag using following table Name Branch Flex Profile Flex Enable Local Site Unchecked Note: Unchecking 'Enable Local Site' will reveal Flex Profile option Click Save & Apply to Device   Assign Site Tag to AP Go to Configuration > Wireless > Access Points Click on the AP Name or MAC address Under General > Tags > Site, Select 'Branch' Click Update & Apply to Device Note: The AP will disconnect for few minutes and when reconnected to the controller, it will be in FlexConnect mode   Modify Redirect ACL When ACL is translated to the FlexConnect ACL, it requires return traffic to be allowed for it to work. If deny is missing for return traffic the endpoint in Central_WebAuth state will not be able to finish the redirect flow. Following changes to the existing ACL will make ACL wotk for both local mode and FlexConnect mode. Go to Configuration > Security > ACL, Click ACL name ACL_WEBAUTH_REDIRECT For any deny statement ensure that deny ACE entry is added for return traffic. See sequence 11 & 12 for example: Sequence Action Source IP Destination IP Protocol Source Port Destination Port 10 deny any 192.168.201.93 tcp   eq 8443 11 deny 192.168.201.93 any tcp eq 8443   20 deny any 192.168.201.71 udp   eq domain (53) 21 deny 192.168.201.71 any udp eq domain (53)   20 permit any any tcp   eq www (80) Click Update & Apply to Device   Troubleshooting For more information on the C9800/ISE integration and troubleshooting, please go to: https://www.cisco.com/c/en/us/support/wireless/catalyst-9800-series-wireless-controllers/products-configuration-examples-list.html       ... View more

Working HPE-ArubaOS switch 2920 running 16.02 with matching ISE configuration. This leverages dynamic URL redirect feature on the NAD. This requires matching NAD profile. See the ISE Third-Party NAD Profiles document for additional NAD configurations and profiles. ... View more

Profile is for HPE_ArubaOS switch that supports dynamic URL redirect, tested with 2920 running16.02. Matching configuration can be found here. Also, see the ISE Third-Party NAD Profiles and Configs document for additional NAD profiles. ... View more

This is list of resources related to using Chromebook on ISE enabled network. Single-Sign-On using 802.1X: Using ChromeOS v66 and above, Chromebook can be configured to reuse login credential for 802.1X authentication. This document describes the steps to configure G-Suite for 802.1X SSO Single-Sign-On using SAML: Using ISE Guest feature with SAML, ISE can map Google user account information to the session on network device even using OPEN or PSK WLAN. This is useful to gain visibility of Google users on the network. ISE BYOD for Chromebook: Using the Native Supplicant Provisioning Wizard Chrome Extension, ISE can issue signed digital certificate to the Chromebook for network authentication. ... View more

This guide is intended to provide technical guidance to design, deploy and operate Cisco Identity Services Engine (ISE) for Bring Your Own Device (BYOD). Special focus will be on the Cisco Unified Wireless Networks controller configurations to handle two BYOD deployment flow; Single-SSID BYOD and Dual-SSID BYOD. The document provides best practice configurations for a typical environment for BYOD use case. ... View more

Introduction On Windows OS native supplicant, there is a setting that reads ‘Automatically use my Windows logon name and password (and domain if any)’. This setting allows OS to reuse PC login credential for 802.1X authentication to gain network access, thus saving user from having to login twice using same credentials for both the PC and the network. This was not possible on Google Chromebook prior to OS v66 so as a workaround SAML was used to gather user identity instead as documented in Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks. Google Chrome OS v66 introduced a new feature where user can SSO to the network using Google login credentials. Previously, when the network requires 802.1X authentication, the Chromebook user had to sign-in to the Chromebook using Google account and then connect to the network by providing credentials which may or may not be identical to the Chromebook sign-in credential. With the new feature on v66, domain admin can configure enrolled Chromebooks with WiFi settings, where it can reuse Chromebook sign-in credential for network login automatically. This requires the authentication server, typically a RADIUS server to be able to authenticate using the Google account which is not possible with ISE today. As a workaround, customer can synchronize accounts to Google domain from an on-prem AD server that ISE can authenticate with. The setup is shown in the following diagram: Google domain account is synchronized with local AD using GCDS (Google Cloud Directory Sync) and subsequently GSPS (G-Suite Password Sync) can be used to synchronize password from AD to Google-Suite Since ISE cannot authenticate directly with G-Suite, ISE will interface with local AD WLC (NAD) is configured to use ISE as RADIUS server Chromebook gets initial network access Chromebook is enrolled to the Google Cloud and gets WiFi settings which is configured to use same credential for network access Chormebook authenticates using sign-in account which is sent to ISE, ISE authorizes user for full network access Caveats Please note that this document only goes over the necessary settings on G-Suite. The document expects that G-Suite is already setup to synchronize with local AD via GCDS/GSPS. Test Chromebook is already enrolled to the G-Suite. Underlying Wireless network is already configured for 802.1X with ISE. Unlike Windows OS, Chromebook supplicant cannot be setup to perform network authentication before login. Which means the Chromebook has to be on the network where it can communicate with G-Suite to authenticate the user prior to user based network access. This can be done by allowing Chromebook to connect to OPEN network (Guest SSID for example) when there are no G-Suite managed user connected. The other option is to use service account that connects to SECURED network prior to user login. In the case of using service account, different ACL can be applied to service account access so it only has access to the Google resources until a valid user logs in. In this document, we will use second example where a service account is used to provide initial access to the network so a subsequent user authentication can occur without issues. Configuration ISE & G-Suite: Export ISE EAP identity certificate and import into G-Suite Note: Steps 1 - 10 is not required if the ISE EAP identity certificate is already generated as 2048 key length and SHA-256 digest. Logon to the ISE GUI Go to Administration > System > Certificates > Certificate Management > System Certificates Click on Generate Self Signed Certificate Select DNS Name for ’Subject Alternative Name (SAN)’ and enter the ISE host name in the box Select 2048 for Key length and SHA-256 for Digest to Sign With Check Portal: Use for Portal Select ‘Default Portal Certificate Group’ Click Submit Select Yes when prompted to replace existing certificate ISE node will be restarted to use the new certificate Once ISE is back up, login to the Admin GUI Go to Administration > System > Certificates > Certificate Management > System Certificates Check the certificate that is shown as used by ‘Portal’ and click 'Export' Leave setting as ‘Export Certificate Only’ and Click Export Save it to the local drive. We will import this certificate into the Google Suite Logon to the Google Suite account as a google admin user Go to Device Management > Device Settings > Network Click Certificates Click Add Certificate Select the one exported from ISE in the step above Check 'Use this certificate as an HTTPS certificate authority' check box Click Save G-Suite: Initial Wi-Fi profile Create Initial Wi-Fi profile so Chromebook is connected to the G-Suite prior to user login. This step can be modified to open SSID instead if such SSID allows access to G-Suite resources. Logon to the Google Suite account as a google admin user From Home, click on ‘Device Management’ On the left, click ‘Networks’ Click ‘Wi-Fi’ Click ‘Add Wi-Fi’ Enter Following information: Setting Value Name SECURED-PRE Service set identifier (SSID) SECURED Automatically connect Checked Security type WPA/WPA2 Enterprise (802.1X) Extensible Authentication Protocol PEAP Inner Protocol MS-CHAP v2 Outer identity PreAuth Username Service account setup for preauth access. This could be G-Suite account or AD/Internal account Password Service account password Server Certificate Authority ISE EAP Identity Certificate previously imported Restrict access to this Wi-Fi network by platform Chromebooks Apply network by device Click APPLY G-Suite: User Wi-Fi profile Create user Wi-Fi profile. This will be used for anyone logging in to the Chromebook. Click ‘Add Wi-Fi’ Enter Following information: Setting Value Name SECURED-USER Service set identifier (SSID) SECURED Automatically connect Checked Security Type WPA/WPA2 Enterprise (802.1X) Extensible Authentication Protocol PEAP Inner Protocol MS-CHAP v2 Outer identity OuterID Username ${LOGIN_ID} Password ${PASSWORD} Server Certificate Authority ISE EAP Identity Certificate previously imported Restrict access to this Wi-Fi network by platform Chromebooks Apply network by user Click APPLY then SAVE ... View more