cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Tech-Talk: Deploying Cisco Secure Bring your Own Device (BYOD) Solution

871
Views
15
Helpful
0
Comments
Cisco Employee

Community Tech-Talk series is designed to bring technical Experts from Cisco to share their insights on specific topics, selectively chosen based on most-common conversation themes in our technology area on the community from our Support Communities.

I am Brahadesh Srinivasaraghavan and am a HTTS Engineer with the Cisco High Touch technical Support (HTTS)– Wireless  team. We, Gautam Bhagwandas with the HTTS Security and Dhiresh Yadav with the HTTS Wireless  team have created this blog in an effort to simplify and explain the configuration steps involved in deploying a Bring Your Own Device (BYOD) solution for your corporate wireless network.

We have created two videos (part 1 and part 2) and a detailed Presentation in which we demonstrate and go over the configuration steps. We also have attached several short videos that break down specific configuration steps to make it simpler and help you zoom into a certain part directly. We will mark the blog with video and run time in both the videos (part 1 and part 2).

Let’s get started and here is a breakup of the items we plan to cover in this blog.

  1. Getting started.

Bring Your Own Device (BYOD) continues to be one of the most influential trends reshaping the landscape of the mobile enterprise and the evolution of IT organizations. The influx of powerful mobile devices into the workplace is changing how users access and consume enterprise resources. IT managers are establishing policies with BYOD access as the norm rather than the exception due to increasing demands from employees and executives who embrace this megatrend. Enterprises are beginning to see BYOD as an opportunity rather than a challenge. There is no longer any doubt that enterprise IT departments are adapting to mobile devices (smartphones, tablets, laptops, etc.) in the corporate workplace to meet user expectations and leverage new technologies to boost worker productivity.

IT needs to balance productivity with security and coordinate business justification with the various line of business (LOB) owners to implement BYOD programs within an enterprise. On one hand, employees are demanding access from devices not only within the corporation, but also beyond the firewall. On the other hand, risk management dictates that corporate data must remain protected

The Cisco BYOD Smart Solution delivers a unified workspace that increases workforce productivity with high quality collaboration on any device, anywhere. Cisco BYOD Smart Solution is a complete, yet flexible and secure BYOD solution that one can easily tailor to meet an enterprise’s needs.

  1. Components involved.

The main components involved for successfully implementing a BYOD solution in your network are mainly the following

  • Cisco Wireless LAN Infrastructure consisting of either

Cisco Unified network Wireless LAN controller of the models 5500, WiSM2,7500,8500

Cisco Converged access Wireless LAN controller of 3850 and 5760

  • Cisco Identity Services Engine.
  • Certificate Authority Infrastructure.

The below figure represents a High Level view of the components involved in the deployment.

  1. Deployment Scenarios

In this tech talk we will specifically look at two practical and commonly used deployment practice of Cisco BYOD solution in a corporate environment where an employee is allowed to bring their own device.

1.Dual SSID config

(a)Topology or Logical representation

(b)Use Case:

The onboarding SSID named Onboarding can be either open or password protected. When the Onboarding SSID is open, any user can connect to the SSID, whereas if it is password protected, then only users that have credentials, such as AD group membership, are allowed to connect to the SSID. In this tech talk, the Onboarding SSID is configured to be Password protected and its only purpose is to provide on-boarding services.

After the device is successfully on boarded, it is assumed that the user will switch to the Employee SSID  MyCorpProvision configured with DOT1X EAP-TLS security for regular network access. To prevent the user from staying connected to the Onboarding SSID, an access list is applied that provides only access to ISE, DHCP, and DNS must be enforced on the Onboarding SSID. The details of the ACL_Provisioning_Redirect ACL are shown in the section configuring Wireless LAN controller, ACL and ISE Authorization profile sections in the Video and in the PowerPoint presentation attached.

(c)Work Flow

1. Customer Network is setup with 2 SSIDs, one that is OPEN for Onboarding SSID : Onboarding and other is for secure corporate access (SSID :MyCorpProvision).

2. Employee associates to Onboarding SSID (Onboarding).

3. Opens a browser and is redirected to the Cisco ISE CWA (Central Web Auth) Guest portal.

4. Employee enters their corporate username and password in the standard Guest portal

5. Cisco ISE authenticates the user against the corporate Active Directory or other corporate Identity Store, provides and authorization policy of accept with redirect to the Employee Device Registration Portal.

6. Device MAC address is pre-populated in the Device Registration Portal for Device ID and employee could enter optional description and then accept the Acceptable User Policy (if required) .

7. Employee selects accept and begins downloading and installing the supplicant provisioning wizard .

8. Using OTA, the Cisco ISE Policy Services Node sends a new profile to the Client including the issued certificate (if configured) embedded with the client’s MAC address and employee's AD username as well as a Wi-Fi supplicant profile that enforces the use of EAP-TLS for 802.1X authentication.

9. Now the Client is configured to associate to the corporate wireless network using EAP-TLS for authentication, and the Cisco ISE authorization policy will use the attributes in the certificate to enforce network access.

10. Cisco ISE initiates a Change Of Authorization (CoA), employee re-associates (incase if dual-SSID Employee would have to manually connect to the corporate/employee SSID using (EAP-TLS) to the SSID and Authenticates via  EAP-TLS.

 

2.Single SSID Config

(a)Topology or Logical representation.

(b)Use Case:

In a Single SSID mode of deployment, there is only one SSID in place, where the employee will login based on Dot1x credentials and will later move into a more secure method of connection using EAP-TLS. During the process the SSID does not change and the client will automatically reconnect to the same SSID after being provisioned.

(c)Work Flow:

1. Customer Network is setup with a single SSID (MyCorpProvision) for secure corporate access that could support both PEAP and EAP- TLS (when using Certificates).

2. Employee associates to Corporate SSID (MyCorpProvision).

3. Enters into the supplicant their EMPLOYEE username and password for the PEAP authentication

4. Cisco ISE authenticates the user against the corporate Active Directory or other corporate Identity Stores, provides an authorization policy of accept with redirect to the Employee Device Registration Portal.

5. Employee opens a browser and is redirected to the Employee Device Registration Portal.

6. Device MAC address is pre-populated in the Device Registration Portal for Device ID and employee could enter optional description and then accept the Acceptable User Policy (if required).

7. Employee selects accept and begins downloading and installing the supplicant provisioning wizard.

8. Using OTA, the Cisco ISE Policy Services Node sends a new profile to the Client that lets the client generate a CSR with specific attributes set and submit it to ISE instead of the CA (since ISE acts as a SCEP proxy ).  In return, the client gets the issued certificate signed by the CA, wherein the username typed in the guest portal becomes the common name on the certificate and the MAC address is embedded in the certificate under the SAN (Subject Alternative Name) attribute on the certificate. The Wi-Fi supplicant profile enforces the use of EAP-TLS for 802.1X authentication.  This step in the BYOD flow is a critical step because this becomes a pre-requisite for the client to connect to the second SSID. This step also highlights the value of BYOD in making certificate deployment so seamless and almost a zero-touch configuration step on the supplicant. In the absence of the automated supplicant provisioning process, it was quite cumbersome to deploy certificates on clients that required EAP-TLS authentication. 

9. Now the Client is configured to associate to the corporate wireless network using EAP-TLS  and ISE can enforce network access using its conventional authorization policies (DACL, Airespace-ACL, VLAN etc)

10. Cisco ISE initiates a Change Of Authorization (CoA), employee re-associates to the SSID and Authenticates via EAP-TLS.

  1. Configuration.

Configuration can be logically divided into the following sections

  1. Configuration of Microsoft Windows Certificate Authority.
  2. Configuration of Microsoft Active Directory and DNS servers.
  3. Configuration of Identity Services Engine.
  4. Configuration of Wireless LAN Controller.

Since this Tech Talk is focused on configuration of the primary components involved, each of this section is described in detail in both the Video and in the presentation attached. We have tried to keep the sequence of configuration in the order described above.

5.Troubleshooting

(a)T/S Microsoft CA Server:

If a Microsoft CA server is used, then you can navigate to Administrator > Event Viewer > Server Roles > Active Directory CA Server and look for any errors.

 

(b)T/S Identity Services Engine.

ISE provides extensive troubleshooting information in Operations > Authentications.

(c)T/S Wireless LAN Controller

On the WLC the following commands can be used to troubleshoot workflow, Client connectivity, and Authentication issues using

                Debug client <MAC address of client> this will filter the subsequent debugs for this mac.

                Debug aaa events all

The videos includes a troubleshooting demonstration where the above sections are demonstrated in more detail.

We hope you have found the tech-talk Videos (Part 1 and Part 2), this Blog and Presentation informative and would like to thank you for viewing.

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards