Community Tech-Talk series is designed to bring technical Experts from Cisco to share their insights on specific topics, selectively chosen based on most-common conversation themes in our technology area on the community from our Support Communities.
I am Brahadesh Srinivasaraghavan and am a HTTS Engineer with the Cisco High Touch technical Support (HTTS)– Wireless team. We, Gautam Bhagwandas with the HTTS Security and Dhiresh Yadav with the HTTS Wireless team have created this blog in an effort to simplify and explain the configuration steps involved in deploying a Bring Your Own Device (BYOD) solution for your corporate wireless network.
We have created two videos (part 1 and part 2) and a detailed Presentation in which we demonstrate and go over the configuration steps. We also have attached several short videos that break down specific configuration steps to make it simpler and help you zoom into a certain part directly. We will mark the blog with video and run time in both the videos (part 1 and part 2).
Let’s get started and here is a breakup of the items we plan to cover in this blog.
Bring Your Own Device (BYOD) continues to be one of the most influential trends reshaping the landscape of the mobile enterprise and the evolution of IT organizations. The influx of powerful mobile devices into the workplace is changing how users access and consume enterprise resources. IT managers are establishing policies with BYOD access as the norm rather than the exception due to increasing demands from employees and executives who embrace this megatrend. Enterprises are beginning to see BYOD as an opportunity rather than a challenge. There is no longer any doubt that enterprise IT departments are adapting to mobile devices (smartphones, tablets, laptops, etc.) in the corporate workplace to meet user expectations and leverage new technologies to boost worker productivity.
IT needs to balance productivity with security and coordinate business justification with the various line of business (LOB) owners to implement BYOD programs within an enterprise. On one hand, employees are demanding access from devices not only within the corporation, but also beyond the firewall. On the other hand, risk management dictates that corporate data must remain protected
The Cisco BYOD Smart Solution delivers a unified workspace that increases workforce productivity with high quality collaboration on any device, anywhere. Cisco BYOD Smart Solution is a complete, yet flexible and secure BYOD solution that one can easily tailor to meet an enterprise’s needs.
The main components involved for successfully implementing a BYOD solution in your network are mainly the following
Cisco Unified network Wireless LAN controller of the models 5500, WiSM2,7500,8500
Cisco Converged access Wireless LAN controller of 3850 and 5760
The below figure represents a High Level view of the components involved in the deployment.
In this tech talk we will specifically look at two practical and commonly used deployment practice of Cisco BYOD solution in a corporate environment where an employee is allowed to bring their own device.
1.Dual SSID config
(a)Topology or Logical representation
The onboarding SSID named Onboarding can be either open or password protected. When the Onboarding SSID is open, any user can connect to the SSID, whereas if it is password protected, then only users that have credentials, such as AD group membership, are allowed to connect to the SSID. In this tech talk, the Onboarding SSID is configured to be Password protected and its only purpose is to provide on-boarding services.
After the device is successfully on boarded, it is assumed that the user will switch to the Employee SSID MyCorpProvision configured with DOT1X EAP-TLS security for regular network access. To prevent the user from staying connected to the Onboarding SSID, an access list is applied that provides only access to ISE, DHCP, and DNS must be enforced on the Onboarding SSID. The details of the ACL_Provisioning_Redirect ACL are shown in the section configuring Wireless LAN controller, ACL and ISE Authorization profile sections in the Video and in the PowerPoint presentation attached.
1. Customer Network is setup with 2 SSIDs, one that is OPEN for Onboarding SSID : Onboarding and other is for secure corporate access (SSID :MyCorpProvision).
2. Employee associates to Onboarding SSID (Onboarding).
3. Opens a browser and is redirected to the Cisco ISE CWA (Central Web Auth) Guest portal.
4. Employee enters their corporate username and password in the standard Guest portal
5. Cisco ISE authenticates the user against the corporate Active Directory or other corporate Identity Store, provides and authorization policy of accept with redirect to the Employee Device Registration Portal.
6. Device MAC address is pre-populated in the Device Registration Portal for Device ID and employee could enter optional description and then accept the Acceptable User Policy (if required) .
7. Employee selects accept and begins downloading and installing the supplicant provisioning wizard .
8. Using OTA, the Cisco ISE Policy Services Node sends a new profile to the Client including the issued certificate (if configured) embedded with the client’s MAC address and employee's AD username as well as a Wi-Fi supplicant profile that enforces the use of EAP-TLS for 802.1X authentication.
9. Now the Client is configured to associate to the corporate wireless network using EAP-TLS for authentication, and the Cisco ISE authorization policy will use the attributes in the certificate to enforce network access.
10. Cisco ISE initiates a Change Of Authorization (CoA), employee re-associates (incase if dual-SSID Employee would have to manually connect to the corporate/employee SSID using (EAP-TLS) to the SSID and Authenticates via EAP-TLS.
2.Single SSID Config
(a)Topology or Logical representation.
In a Single SSID mode of deployment, there is only one SSID in place, where the employee will login based on Dot1x credentials and will later move into a more secure method of connection using EAP-TLS. During the process the SSID does not change and the client will automatically reconnect to the same SSID after being provisioned.
1. Customer Network is setup with a single SSID (MyCorpProvision) for secure corporate access that could support both PEAP and EAP- TLS (when using Certificates).
2. Employee associates to Corporate SSID (MyCorpProvision).
3. Enters into the supplicant their EMPLOYEE username and password for the PEAP authentication
4. Cisco ISE authenticates the user against the corporate Active Directory or other corporate Identity Stores, provides an authorization policy of accept with redirect to the Employee Device Registration Portal.
5. Employee opens a browser and is redirected to the Employee Device Registration Portal.
6. Device MAC address is pre-populated in the Device Registration Portal for Device ID and employee could enter optional description and then accept the Acceptable User Policy (if required).
7. Employee selects accept and begins downloading and installing the supplicant provisioning wizard.
8. Using OTA, the Cisco ISE Policy Services Node sends a new profile to the Client that lets the client generate a CSR with specific attributes set and submit it to ISE instead of the CA (since ISE acts as a SCEP proxy ). In return, the client gets the issued certificate signed by the CA, wherein the username typed in the guest portal becomes the common name on the certificate and the MAC address is embedded in the certificate under the SAN (Subject Alternative Name) attribute on the certificate. The Wi-Fi supplicant profile enforces the use of EAP-TLS for 802.1X authentication. This step in the BYOD flow is a critical step because this becomes a pre-requisite for the client to connect to the second SSID. This step also highlights the value of BYOD in making certificate deployment so seamless and almost a zero-touch configuration step on the supplicant. In the absence of the automated supplicant provisioning process, it was quite cumbersome to deploy certificates on clients that required EAP-TLS authentication.
9. Now the Client is configured to associate to the corporate wireless network using EAP-TLS and ISE can enforce network access using its conventional authorization policies (DACL, Airespace-ACL, VLAN etc)
10. Cisco ISE initiates a Change Of Authorization (CoA), employee re-associates to the SSID and Authenticates via EAP-TLS.
Configuration can be logically divided into the following sections
Since this Tech Talk is focused on configuration of the primary components involved, each of this section is described in detail in both the Video and in the presentation attached. We have tried to keep the sequence of configuration in the order described above.
(a)T/S Microsoft CA Server:
If a Microsoft CA server is used, then you can navigate to Administrator > Event Viewer > Server Roles > Active Directory CA Server and look for any errors.
(b)T/S Identity Services Engine.
ISE provides extensive troubleshooting information in Operations > Authentications.
(c)T/S Wireless LAN Controller
On the WLC the following commands can be used to troubleshoot workflow, Client connectivity, and Authentication issues using
Debug client <MAC address of client> this will filter the subsequent debugs for this mac.
Debug aaa events all
The videos includes a troubleshooting demonstration where the above sections are demonstrated in more detail.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.