09-21-2012 11:12 AM - edited 07-03-2021 10:42 PM
With Jacob Ideji, Richard Hamby and Raphael Ohaemenyi
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access . Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio. Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality.
Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
Richard Hamby works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams.
Raphael Ohaemenyi Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.
Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
09-21-2012 01:53 PM
I think the ISE is excellent, however I think there is a real need to get some documentation on Wireless scenarios.
Some of the documentation is written around ISE code 1.0 WLC code 7.0 others is written around ISE 1.1.1 and code 7.2. The ISE is really starting to come in now and we have two different configurations die to the CoA availability in code 7.2.
I intend to play with ISE this weekend and look at CWA, LWA and 802.1x. It looks like the MIDAS doc may be really good but not worked through it yet.
09-22-2012 02:29 PM
Some questions
1) is there a good walkthrough explaining the different mechanisms working together in ISE and WLC ?
things like whitepapers and example configurations of setups ?
2) Are there any plans on setting in SMS 2 factor authentication support in the ISE ?
(its a problem and nuisance to have several different tacacs servers when it should suffice with one)
3) Are there any good references covering the BYOD and the different pifalls such as legal requirements and responsibilities.
Regards
Hobbe
09-23-2012 04:46 PM
Hi Hobbe,
Yes, there are configuration documents with screen shots that shows ISE and wireless integration. Please the below link is an example of such document in accordance with the cisco validated design program. When you say SMS 2 factor authentication, are you looking for out of band SMS authentication for phonefactor SMS.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
09-25-2012 02:08 AM
Hi
Sorry for the delay in my response.
Thank you for the Link, there are some nice things in there.
Regarding SMS
Yes out of band communication.
What I am looking for in the ISE is a solution that I can connect my own SMS Modem or a link to a webbased SMS service provider and send out the SMS directly from the ISE server.
Today we have to use another AAA solution.
so we have Windows domain, Cisco ISE and a third party AAA radius server that connects the two sending out SMS and so on.
Not a optimal solution.and it sometimes has problems.
It would be so much nicer and stramlined setup if we could have the SMS functionality in the ISE instead of another AAA equipment.
Thank you for your response
Regards
Hobbe
09-25-2012 11:55 AM
Hobbe,
This is not supported by ISE today, however if you send me your company name and business requirement I can reach out to my ISE business unit to follow-up on this. Thanks
You can send the above info to my email address.
My email: jideji@cisco.com
09-24-2012 04:10 PM
A couple of other Wireless-specific resources for BYOD:
BYOD Deployment with WLC and ISE
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml
BYOD FlexConnect Deployment
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml
09-24-2012 04:20 PM
I agree, many of the more complete docs are v1.0 based, and the v1.1 and 1.1.1 updates are required to get the 'whole picture' at times. As you come across documents that have not been updated for the current versions or would be good candidates, be sure to fill out the Feedback section in the left margin - we read that information.
Thanks !
09-27-2012 11:23 AM
Hi Richard,
Could you please provide the links where we can deployed and configure ISE, TrustSec and SGT simultaneously?
Thanks,
Parvez
09-27-2012 01:32 PM
Hi Parvez,
In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks. And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device. TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.
TrustSec Home Page
http://www.cisco.com/en/US/partner/netsol/ns1051/index.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/partner/solutions/ns170/ns896/ns1051/trustsec_matrix.html
The TS 2.1 Design Guides
DesignZone has some updated docs as well
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
09-27-2012 01:43 PM
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/partner/solutions/ns170/ns896/ns1051/trustsec_matrix.html
09-27-2012 02:05 PM
OOPS !!
I will repost the whole messaqge with the correct external URL's:
In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks. And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device. TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.
TrustSec Home Page
http://www.cisco.com/en/US/netsol/ns1051/index.html
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
The TS 2.1 Design Guides
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
DesignZone has some updated docs as well
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html
09-26-2012 02:01 AM
We've got a variety of controller hardware the majority of which is WISM1s (10 WISM1s, 2 WISM2s and 2 5508s). Most of the information on BYOD that I've seen (including the two documents linked to in this discussion) are focused on the features of newer controllers.
What's the best way for us to do BYOD given that we've got to have a consistent approach across all controllers?
Thanks
09-26-2012 09:27 AM
Hi Martin,
There is an intersection of terms, features, and support at this point in time. Your question is a great one - and not one that can be answered definitively for all sceanrios.
The BYOD industry buzzword has multiple meanings in the context it's used. The differentiators surround what features are possible in each scenario, and matching them to the requirements. As you see, Cisco has (in a way) drawn a line stating where our 'fullest-featured' BYOD wireless solution starts - WLC code 7.2.110.0 and ISE 1.1.1. Does this mean you can't do 'BYOD' unless you have these versions ? Not at all - we've all been doing BYOD in some form since the first person dialed-in to our networks. But the drivers now are the typical scenario where a user wants to bring their own mobile device, access our secure network(s) and/or Internet, and we be able to enforce security - device posture and access policies that match our security policies. As you moved down in code, certain features and capabilities become unavailable.
Ok, so - to your question: the answer would be based on what features you require and topology. But in general, let's say you want it 'all' - self-service registration, client posture/remediation, profiling, etc. In that case, we want a Central Webauth (CWA) ISE 1.1.1 and the WLC needs to be running current code 7.2 or higher supported on the 2504/5508/7500/8500/WISM2. Not all of your controllers support this code, so if you need an ubiquitous WLAN that spans the whole enterprise that we can 'BYOD-ize', local-mode Auto-Anchoring may be the way to go. In that scenario, 7.2+ capable WLC(s) would be the anchor controller (2504's don't support auto-anchor). All BYOD functions on behalf of the client between ISE and the WLAN would occur on that controller. This is a nutshell answer - bandwidth and other considerations would need to be considered. But in general, it's the idea.
For other scenarios that don't require every BYOD option, Local Webauth (LWA) using older code may work. The design guides we list above have a number of these. For your specific deployment, contact your partner or Cisco account team for an asessment - there are numerous options.
Thanks,
Richard
09-26-2012 10:11 PM
Hi guys,
Based on your experience what is the workaround for the following:
I have WLC 7.3 + ISE 1.1.1 no posture yet, just authentication and profiling - very simple.
I have two ise appliances ISE1.mycompany has PRIMARY admin/policy and ISE2.mycompany has PRIMARY monitoring rest is secondary, as I think this would take some load off of primary ise.
Based on INTEL/DELL mac address I allow access to corporate network.
Based on APPLE-DEVICE I set clients on vlan 2
makes the authz rules look like this
1.) IF INTEL/DELL and AD/users = Permit_Access
2.) IF APPLE-DEVICE and AD/users/spec = vlan2
3.) if no match then =DennyAccess
And here we go first time users connects to SSID = Corporate with their Dell/Intel laptop.
Enters password username and so on - Access Denied
(on ISE i see Default deny at the end RULE 3 being used)
User tries again - Access Granted RULE 1 being used
First time apple-device user tries to login - Access Denied
On ISE i see the same thing
user tries again, rule number 2 being used.
Any Suggestions?
This is one time only for that device and has no problem after that once it's in endpoint database, but with 10k users that's a problem for the help desk.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide