Iser Lab For BYOD

Lab Overview
Cisco ISE BYOD Lab Guide

Developers and Lab Proctors
This lab was created by Policy and Access Technical Marketing, Security Business Group, Cisco.
Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine
(ISE) in a Bring Your Own Device (BYOD) environment. This lab covers the configuration of
Cisco ISE to address the common requirements for BYOD. Students will be introduced to the ISE
My Devices Portal, which enables employees to self-manage their devices. Students will
experience ISE single-SSID configuration and provisioning of the certificates for the BYOD
endpoints (Apple iPad) using ISE internal CA. The students will learn how to manage their own
devices in the My Devices Portal by testing the blacklist features. In the lab the students will learn
how configure ISE to connect multiple AD domains, and use ISE internal CA to issue certificates
for BYOD endpoints.
Lab participants should be able to complete the lab within the allotted time of 2 hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1 : ISE Internal CA for BYOD certificate provisioning

Lab Exercise 2 : Configure ISE for Single SSID Wireless BYOD
Lab Exercise 3 : Test and Verify the onboarding of a non-corporate Apple iPad
Lab Exercise 4 : ISE My Devices Portal
Lab Exercise 5 : Test and Verify the Lost function of My Devices Portal
Lab Exercise 6 : Test and Verify the Stolen function on My Devices Portal
ISE_21_BYOD_Lab_Guide_2016-07-26
Page 1 of 25
Product Overview: ISE
Product Overview: ISE

Cisco Identity Service Engine (ISE) is a context aware identity-based platform that gathers real-time
information from the network, users, and devices. ISE then uses this information to make proactive
governance decisions by enforcing policy across the network infrastructure utilizing built in standard
based controls. Cisco ISE offers:
Security: Secures your network by providing real-time visibility into and control over the users and
devices on your network.
Compliance: Enables effective corporate governance by creating consistent policy across an
infrastructure.
Efficiency: Helps increase IT and network staff productivity by automating traditionally labor-intensive
tasks and streamlining service delivery.
Enablement: Allows IT to support a range of new business initiatives, such as bring your own device
(BYOD), through policy-enabled services.
Lab Topology
Page 2 of 25
Lab IP and VLANs
Lab IP and VLANs

Internal IP Addresses
Device
Name/Hostname
IP Address
Access Switch (3650)
3k-access.demo.local
10.1.100.1
Wireless LAN Controller (virtual)
wlc.demo.local
10.1.100.61
Wireless Access Point (varied)
ap.demo.local
10.1.90.x/24 (DHCP)
ISE Appliance
ise-1.demo.local
10.1.100.21
AD (AD/CS/DNS/DHCP)
ad.demo.local
10.1.100.10
Mail
mail.demo.local
10.1.100.40
NTP
ntp.demo.local
128.107.212.175
Tools
tools.demo.local
128.107.210.137
LOB-web
lob-web.demo.local
10.1.129.12
portal.demo.local, updates.demo.local
10.1.129.8
business.demo.local
10.1.129.9
it.demo.local
10.1.129.10
records.demo.local
10.1.129.11
Admin (Management) Client
admin.demo.local
10.1.100.6
(also FTP Server)
ftp.demo.local
Internal VLANs and IP Subnets

VLAN
VLAN Name
IP Subnet
Description
10
ACCESS
10.1.10.0/24
Authenticated users or access network using ACLs
20
MACHINE
10.1.20.0/24
Microsoft machine-authenticated devices (L3 segmentation)
10.1.29.0/24
Interconnect subnet between ASA and Access switch
(29)
30
QUARANTINE
10.1.30.0/24
Unauthenticated or non-compliant devices (L3 segmention)
40
VOICE
10.1.40.0/24
Voice VLAN
50
GUEST
10.1.50.0/24
Network for authenticated and compliant guest users
90
AP
10.1.90.0/24
Wireless AP VLAN
98
ISE.LOCAL
10.1.98.0/24
AD domain ise.local
99
LAB.LOCAL
10.1.99.0/24
AD domains lab.local and sam.lab.local
100
Management
10.1.100.0/24
Network services (AAA, AD, DNS, DHCP, etc.)
129
WEB
10.1.129.0/24
Line-of-business Web servers
Page 3 of 25
Connecting to Lab Devices
Accounts and Passwords

Access To
Account (username/password)
Access Switch (3650)
admin / ISEisC00L
Wireless LAN Controller (virtual)
admin / ISEisC00L
ISE Appliances
admin / ISEisC00L
AD (CS/DNS/DHCP/DHCP)
admin / ISEisC00L
Web Server
admin / ISEisC00L
Admin (Management) Client
admin / ISEisC00L

Note:
Note:
To access the lab, you must first connect to the Admin PC. The Admin PC provides a launching point for
access to all the other lab components
Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1
Launch the Remote Desktop application on your system.

a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, and then click on the RDP Client option that appears.
c.
Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Connect to ESX Server Virtual Machines

During the lab exercises, you may need to access and manage the computers running as virtual
machines.
Step 1
From the Admin client PC, click the [ ESXi-core ] icon on the desktop
Step 2
Click OK when the VMware vSphere Client starts.
Step 3
You have the ability to power on, power off, or

open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the
left-hand pane and right-click to select one of
these options:
a. To access the VM console, select Open
Console from the drop-down.
Page 4 of 25

b. To login to a Windows VM, select Guest > Send Ctrl+Alt+del from the VM Console
menu:
Step 4
For this lab ensure that the following VMs are up and running:
p##_ad
p##_admin
p##_ise-1-base
p##_lob-web
p##_vWLC
(likely invisible)
## refers to the pod number that you are assigned to. E.g., For POD 2, p##_ad would be
p02_ad. w7pc-guest may be powered on manually during the exercises.
Connect to Lab Device Command-Line Terminal

Step 1
To access the lab switches and ISE servers using SSH:

a. From the Admin client PC, locate the PUTTY shortcut on the taskbar. Click on the PuTTY
shortcut and it shows a list of devices and ISE servers.
b. Select the device that youd like to log into and double click on it.
c.
If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Page 5 of 25
Pre-Lab Setup Instructions

Basic Connectivity Test
Step 1
From the admin PC desktop, launch Firefox and browse to http://tools.demo.local/ping/byod.txt.
Step 2
Control-A to select all lines in the web page above and then Control-C to copy them.
Step 3
Launch PingInfoView by double-clicking its shortcut on the desktop.

Control-V to paste the copied text into the box for [ Addresses list to ping: ], and
click [ OK ].
Step 4
Verify that ping succeeds for all devices tested and then [ File Exit ] the program or close the
window when completed.
Controlling iPad via VNC Client

Below are some tips for controlling the iPad UI via VNC client which will be useful for the entire lab:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track
pad) Touch with two fingers on the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your
local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want to
input text, and click on it.
Note: When interacting with the iPad VNC session, US keyboard is preferred.
Note: US keyboard is needed for the RDP session too unless you have additional language packs installed to provide keyboard
mappings. This is only for the RDP sessions.
Lightweight Access Point (LAP) Associated to Wireless LAN

Controller (WLC)
This lab uses an LAP which needs to be joined to and associated with the WLC in the pod. Due to a Lab
automation limitation, this might not have happened correctly so we need to verify and remedy it
manually.
Step 1 From the Admin PC, launch Firefox to go to https://wlc.demo.local and login as admin /
ISEisC00L
Step 2 In the MONITOR summary page, the Controller Summary section has a field Up Time showing
how long WLC has been up.

Step 3 If Up Time is more than 15 minutes, check the next section Access Point Summary to see if
zero or NO access point associated.

If Up Time is shorter and NO access point, please wait
longer before taking the next action.
Step 4 If NO access point associated, then reboot the
WLC by navigating to COMMANDS Reboot
Page 6 of 25

and choosing [ Reboot without Save ]. Click OK when prompted.
Step 5 An LAP should associate with WLC shortly after the WLC rebooted. If still no LAP after WLC
rebooted and up for more than 15 minutes, please report it to the lab proctor or open a ticket with
LabOps support.
Basic ISE Configuration

Step 1
Access the ISE administrative web interface.

a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.
Login with username admin and password ISEisC00L

Step 2
Step 3
Join to the Active Directory. Access ISE Active Directory configuration page by navigating to
Administration > Identity Management > External Identity Sources and select Active
Directory from the left-hand pane.
Join ise-1 to demo.local (in a single-domain forest)
a. Click the hyperlink demoAD under the Joint Point Name column.
b. Tick the checkbox next to ISE node ise-1.demo.local and then click Join.
c.
In Join Domain pop-up window, fill in

* AD User Name admin
* Password ISEisC00L
d. Click OK to start the join operation.

e. A window Join Operation Status will pop up. Wait until the node status turns
Completed, and then click Close.
f.
The Connection tab shall show ad.demo.local as the domain controller and Default-FirstSite-Name as the site.
g. Click on the Groups tab to view the pre-defined groups.

Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.
WLC Configuration
Step 1
Using Browser (FireFox), Navigate to https://wlc.demo.local/. Log-in using Credential

User Name: admin
Password: ISEisC00L
Note: SSID names will change per POD; e.g. POD 01 = 01-wpa2e
Step 2
Click
and then SSID number 1
Step 3
Click the CheckBox Status
Step 4
Click
Page 7 of 25
Lab Exercise 1: ISE Internal CA for BYOD certificate provisioning
Lab Exercise 1: ISE Internal CA for BYOD

certificate provisioning
Managing certificates for BYOD adds significant complexity and expense when using Microsoft Public
Key Infrastructure. The ISE Certificate Authority is designed to work in concert with your existing PKI to
simplify BYOD deployments.
Internal CA provides a Single Management Console to manage endpoints and their certs. Delete an
endpoint and with that ISE deletes the certificates associated with that End Point.
Multiple deployment models are supported for the Internal CA, it supports stand alone and subordinate
deployments. Removes corporate PKI team from every BYOD interaction. In regards to the architecture,
ROOT_CA is the root CA for the entire ISE PKI hierarchy but can also be subordinate to an
existing enterprise root CA.
NODE_CA is responsible for issuing the subordinate EP_CA and OCSP certificates
EP_CA is responsible for issuing identity and device certificates to endpoints.
OCSP is responsible for signing the OCSP responses
Exercise Description
This lab covers the ISE Internal CA configurations to provision BYOD devices. Certificates would
be provisioned to personal devices and would later be used to connect to the corporate network
using EAP-TLS authentication.
Exercise Objective
In this exercise, your goal is to familiarize with and configure the ISE internal CA. This includes
completion of the following tasks:
Step 1
Verify Internal Certificate Authority is running and is operational
Review a default certificate template for provisioning BYOD devices.
Login to ISE
https://ise-1.demo.local/admin/login.jsp
Username
Password
admin
ISEisC00L
Page 8 of 25
Lab Exercise 1: ISE Internal CA for BYOD certificate provisioning

Step 2
Under Administration > System > Certificates > Certificate Authority, go to Internal CA
Settings and Verify Internal CA is running on your POD
Step 3
Under Administration > System > Certificates > Certificate Authority click Certificate
Templates.
Step 4
ISE comes with a default certificate template which could be used for BYOD. In this Lab we will
use the Default Certificate Template. Select this default certificate template
EAP_Authentication_Certificate_Template and click Edit and notice the various values as
shown below.
Attribute
Value
Name EAP_Authentication_Certificate_Template
This template will be used to issue certificates
Description
for EAP Authentication
Subject
Common Name (CN)
Organizational Unit (OU)
Organization (O)
City (L)
State (ST)
Country (C)
Subject Alternative Name (SAN)
Key Size
SCEP RA Profile
Valid Period
$UserName$
Example unit
Company name
City
State
US
MAC Address
2048
ISE Internal CA
730
Notes: ISE internal CA come with a default configuration and is already running when ISE is installed. Overall the administration
configuration experience is super easy to setup.
End of Exercise: You have successfully completed this exercise.

Proceed to next section.
Page 9 of 25
Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD
Lab Exercise 2: Configure ISE for Single SSID

Wireless BYOD
This exercise will show how to configure ISE for BYOD wireless deployment where only one
wireless SSID is required. Firstly you will confirm SSID settings on the Cisco WLC. Next you will
learn how to configure profiles for the SCEP CA and the Certificate Authentication Profile. Cisco
ISE uses Simple Certificate Enrollment Protocol (SCEP) to support the secure issuance of
certificates to network devices in a scalable manner. The SCEP in this lab is ISE internal CA. You
will also learn how to configure a client provisioning policy on Cisco ISE to allow the native
supplicant provisioning.
Exercise Objective
In this exercise, your goal is to configure ISE for single SSID Wireless BYOD, which includes the
completion of the following tasks in ISE:
Verify the Network Access Device configuration of the WLC
Modify the Identity Source Sequence to authenticate the user against AD
Modify the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.
Modify the Authorization Policy to allow registration as well as supplicant provisioning and
to grant full access to registered devices.
Create Client Provisioning Policy to support native supplicant provisioning
Step 1
Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L
Step 2
Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c.
This network device is preconfigured with the values shown in the following table:
Attribute
Name
Description
IP Address
Model Name
Software Version
Device Type
Location
Authentication Settings
Protocol
Shared Secret
Value
wlc
10.1.100.61 / 32
WLC
GOLD-ISE
RADIUS
ISEisC00L
d. Update as needed and click Save when finished.
Page 10 of 25

Step 3
OPTIONAL: Well now configure the External SCEP CA Profiles in case deployment demands
to use their own PKI system for certificate provisioning.
a. Navigate to Administration > System > Certificates > Certificate Authority > External
CA Settings
b. Go to SCEP RA Profiles. Add a new profile as below
Attribute
Name
Description
URL
Value
mscep (or any unique id)
-
http://ad.demo.local/certsrv/mscep/mscep.dll
Note: ISE provides ability to test and add multiple SCEP URLs at the same time by clicking
+ button
c. Click Test Connectivity to verify the connection to the SCEP server.
Note: If this fails, please ask the proctor to check on the mscep server VM.
MSCEP VM is the same as Microsoft AD Server, Proctor can either stop and start service (NDES) or restart the AD server (Poweroff & Power-on)
d. Once Test Connectivity succeeds, click Submit to save the profile.

e. Select the newly created mscep profile and click the Edit button, notice that the profile
its self presents the RA and CA certificate details
Page 11 of 25

f.
Step 4
Under Administration > System > Certificates, go to Trusted Certificates, both the
CA and RA (registration authority) certificates of the certificate chain for the SCEP server
should have been automatically retrieved.
Go to Administration > Identity Management > External Identity Sources > Certificate
Authentication Profile to review the built-in profile Preloaded_Certificate_Profile.
This preloaded profile fits our need so we will use it in this lab.
Step 5
Next go to Administration > Identity Management > Identity Source Sequences.
Page 12 of 25

a. Review a built-in identity source sequence All_User_ID_Stores.
Note: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. In
password-based authentications, it will use the other identity sources in the authentication search list.
Step 6
Go to Policy > Authentication and ensure that the authentication policy is configured as below:
Enabled
Step 7
Name
MAB
Condition
IF Wired_MAB OR
Wireless_MAB
Protocols
Identity Source
allow
Default Network and use Internal Endpoints
protocols Access
Options
Reject
Continue
Drop
Dot1X
IF Wired_802.1X OR allow
Default Network and use All_User_ID_Stores Reject
Wireless_802.1X protocols Access
Reject
Drop
Default Rule
allow
Default Network and use All_User_ID_Stores Reject
(if no match)
protocols Access
Reject
Drop
Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Drill
down to NSP_Onbroad a built-in Authorization Profile that is used in the Authorization Policy for
supplicant provisioning.
a. Update the redirect ACL to PERMIT-2-ISE-a-DNS, which is configured in our WLC.
Attribute
Name
Description
Access Type
Common Tasks
DACL
Web Redirection
Value
NSP_Onboard
-ACCESS_ACCEPT
PERMIT_ALL_TRAFFIC
Drop-down menu: Native Supplicant Provisioning
ACL: PERMIT-2-ISE-a-DNS
Value: BYOD Portal (default)
Attributes Details
Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_TRAFFIC
Page 13 of 25

cisco-av-pair = url-redirect-acl=PERMIT-2-ISE-a-DNS
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionIdValue&portal=..&act.ion=nsp
Click Save to save the changes.

Step 8
Next, enable two built-in Authorization Policy rules under Policy > Authorization
Employee_EAP-TLS and Employee_Onboarding, by double-clicking on the gray-out state icon
and select Enabled.
Step 9
Also, disable the Basic_Authenticated_Access rule.
Identity Groups
Other Conditions
Blacklist
Wireless_802.1X
Cisco-IP-Phone Non_Cisco_Profiled_Phones
Rule Name
Wireless Black List Default
Profiled Cisco IP Phones
Profiled Non Cisco IP
Phones
Compliant_Devices_Access
Employee_EAP-TLS
Employee_Onboarding
Permissions
Blackhole_Wireless_Access
Cisco_ IP_Phones
Non_Cisco_IP_Phones
Network_Access_Authentication_Passed PermitAccess
AND Compliant_Devices
Wireless_802.1X AND
PermitAccess AND BYOD
BYOD_is_Registered AND EAP-TLS
AND MAC_in_SAN
Wireless_802.1X AND EAP-MSCHAPv2 NSP_Onboard AND BYOD
...
Basic_Authenticated_Acess
Default
Network_Access_Authentication_Passed PermitAccess
Any
DenyAccess
Click Save to save the changes.

Step 10
Go to Policy > Client Provisioning and review the built-in rule for iOS as below:
Status
Rule Name
iOS
Identity
Operating
Groups
Systems
Any
Apple iOS All
Other
Results
Conditions
Cisco-ISE-NSP
Step 11
Go to Policy > Policy Elements > Results > Client Provisioning > Resources and update
the built-in native supplicant profile Cisco-ISE-NSP by selecting it and click Edit.
Step 12
Under the Wireless Profile(s) section, select the SSID name ISE and click Edit.
Step 13
Replace the SSID Name ISE with ##-wpa2e, where ## is your pod number. 10-wpa2e for pod
10, for example.
SSID Name*
##-wpa2e
Proxy Auto-Config File URL

Proxy Host/IP
Proxy Port
Security
Allowed Protocol
Certificate Template
WPA2 Enterprise
TLS
EAP_Authentication_Certificate_Template
Page 14 of 25

Note: SSID name is case-sensitive and needs to be exactly the same as the one defined in the WLC.
Notes: In this step when configuring SSID, please make sure to change the SSID name matching your
POD. All the PODs are configured with SSID of POD1 for replication purposes. To avoid making any typos,
copy the SSID name from the WLC and paste it on the ISE GUI.
To find SSID for your POD, Go to admin PC, launch a browser and log-in to WLC (https://wlc.demo.local)
with Username = admin and Password = ISEisC00L.
Click
Click
Step 14
and then copy the name of the Secure SSID e.g. ##-wpa2e. If SSID is disabled,
on the SSID and Enable it.
Click Submit to save the changes for the wireless profile. Then, scroll down, click Submit again
to save the change for the native supplicant profile as a whole.

Page 15 of 25
Lab Exercise 3: Test and Verify the onboarding of a non-corporate Apple iPad
Lab Exercise 3: Test and Verify the onboarding

of a non-corporate Apple iPad
In this exercise you will get the experience of onboarding an Apple iPad onto the network in a
BYOD use case. From the iPad you will connect over the wireless network to the single SSID you
configured in the earlier exercise. You will use your AD credentials to let Cisco ISE know that the
iPad is a personal device that belongs to you the employee. When you connect to the network
you will verify profile installation for the native supplicant on the iPad. Using Cisco ISE live logs
you will monitor the onboarding process and verify successful completion via the My Devices
Portal.
Warning: The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to
configuration and limitations of remotely controlling an interactive device like the iPad in a lab environment please do not
deviate from the exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual
resetting and prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Connect to the iPad via VNC to test the wireless BYOD feature
Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user
Check the ISE Live Logs to monitor the process
Check the My Devices Portal to see the device registration
Step 1
Double click on the batch file vnc-to-ipad on the Desktop to start a VNC session to the iPad.
Step 2
The batch file will prompt you to press any key to continue. You will then see the VNC Viewer
pop up.
Tips on controlling the iPad UI via VNC client:

Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on
the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
Step 3
On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
Step 4
Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 5
Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network ##-wpa2e
a. Enter the username/password AD credentials (employee1/ISEisC00L) and click Join
Page 16 of 25
b. Click to Accept the certificate
c.
Next click on the blue arrow of the connected network and verify the IP address assigned
Note: IP address for iPAD might be different depending on the DHCP server in the POD, iPAD might get an IP address from
10.1.10.x subnet which is OK.
Step 6
Now launch the mobile Safari app and access the website portal.demo.local.
You will receive a warning Cannot Verify Server Identity. Click Continue then be redirected to
the self-provisioning page.
Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the
Apple iOS (Policy > Client Provisioning).
Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)
Page 17 of 25
This will take you to the ISE BYOD Welcome Screen, which guides the end-user over a series
of steps to on-board the device and also keeps tracks of these steps with proper numbering.
Click Start to proceed.
Next end-user would be requested to enter Device Name and Description
Attribute
Device Name
Description
Value
Personal_iPAD
This is my iPAD
Click Continue to proceed.
Step 3, prompts the user to launch Apple Profile and

Certificate installers, click to proceed
When prompted to install the CA certificate that

signed the SSL server certificate of ISE, click
Install.
Accept any Warnings to complete this installation.

Step 7
Once back to the self-provisioning page in

Safari, enter an optional description and click
to Register the iPad.
At this time, the ISE Profile Service pops up
and prompts Install.
Step 8
Click Install to start the Apple Over-The-Air (OTA) enrollment process. This will automatically
generate the key, enroll the identity certificate, and save the resulting signed Wi-Fi profile to the
iPad.
Step 9
Now entering portal.demo.local in the mobile Safari app should take you to the website.
Step 10
Verifying Settings > General > Profiles shows two profiles are installed
Page 18 of 25
Step 11
Check the RADIUS live logs on ISE admin web console to verify that the correct authorization
profiles were applied. The sequence will look similar to the following. Initially, the device will be
authorized for NSP_Onborad. Once the provision is done, another authentication occurs and the
PermitAccess profile will be applied.
Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.
(Admin>System>Logging>Debug Log > Conifg)
Step 12
Under Administration > System > Certificates > Certificate Management > Overview, look
at the summary of certificates issues to personal devices
Step 13
Under Administration > System > Certificates > Certificate Management > Endpoint
Certificates, look at all the certificates issues to personal devices
Page 19 of 25
Step 14
Select a certificate and click View to examine its detail.
More Troubleshooting Tips

Helpful WLC CLI commands:
Debugging client traffic
debug client <mac_address>
Debugging AAA authentication
debug aaa events enable
Debugging 802.1x events
debug dot1x events enable
Bypass captive portal
config network web-auth captive-bypass enable

Page 20 of 25
Lab Exercise 4: ISE My Devices Portal

This lab covers the ISE configuration to enable and customize the My Devices Portal. The My
Devices Portal allows employees to manage the devices that they themselves have on-boarded
to the corporate network. Employees can add devices directly in this portal. Employees can mark
any device in their own lists as lost, which prevents others from unauthorized network access
when using the stolen device. Employees can reinstate a blacklisted device in the My Devices
Portal to grant it network access without re-registration. Employees can also take any of their
devices off the list temporarily, and later register them back for network access.
Exercise Objective
In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:
Step 1
Verify My Devices Portal enablement
Customize the My Devices Portal
Modify the My Devices Portal authentication to include AD for user authentication
Launch the My Devices Portal and access it using AD user credentials
Access the ISE administrative web interface.

a. On Admin PC, launch Mozilla Firefox web browser. Enter this URL in the address bar:
https://ise-1.demo.local/
Note: Accept/Confirm any browser certificate warnings if present.
b. Login with username admin and password ISEisC00L. The ISE Dashboard should
display. Navigate the interface using the multi-level menus.
Step 2
My Device Portal Settings

a. Navigate to Administration > Device Portal Management > Device Portal
Management > My Devices. From there, Click on My Devices Portal (default) to
verify/edit the default My Devices Portal.
Attribute
Value
Portal Behavior and Flow Settings
Use these settings to specify the My Devices experience for this portal.
Portal Settings
mydevices.demo.local
Fully qualified domain name (FQDN):
Endpoint identity group:
RegisteredDevices
Purge endpoints in this identity group when they
30 days
reach
Identity source sequence: *
MyDevices_Portal_Sequence
Acceptable Use Policy (AUP) Page Settings
Include an AUP
On first login only
Post-Login Banner Page Settings
Include Post-Login Banner Page
Page 21 of 25

Portal Page Customization
Customize portal pages by applying a theme and specifying field names and messages displayed
to users.
Default Olive theme
Portal Theme
Text Elements
This is a Custom MyDevices Portal
Banner title:
Pages
My Devices
All My Devices
Content Title
b. Click Save on the top right hand corner.

Step 3
Preview
a. Navigate to Administration > Device Portal Management > Device Portal
Management > My Devices. From there, Click the My Devices Portal (default).
b. On the same page, towards the right of the screen, click on Portal Test URL and open
the My Devices Portal Page. Login with the following credentials
Attribute
Username
Password
c.
Value
employee1
ISEisC00L
Accept the AUP
d. There will be options available to add devices but do not add any devices at this time.
This will be performed in later lab exercises.
Note: Please accept/confirm any browser certificate warnings if present, which mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.
This preview is generated depending on the device youre using to access the page, e.g. is using Windows OS, the screen would be
presented as per OS and screen specification.
ISE allows customization of more pages for BYOD flows, at present we have demonstrated customizing My Devices Page but
other pages follow same customization logic

Page 22 of 25
Lab Exercise 5: Test and Verify the Lost function on My Devices Portal
Lab Exercise 5: Test and Verify the Lost

function on My Devices Portal
This exercise will show you the device self-management features of Cisco ISE.
You will simulate losing your iPad and blacklisting the device as lost. Blacklisting the device
prevents it from being misused on the corporate network. Cisco ISE uses RADIUS CoA
messaging to interact with network access devices in enforcing restrictions on the user selfprovisioned device.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Step 1
Customize the Authorization Profile to Blacklist wireless endpoints
From the My Devices Portal mark the device as Lost to observe the Change of Authorization
(CoA) occur and restrict access from the device
When the device is reinstated on the My Devices Portal, Change of Authorization is again
triggered and the device should now be given a full network access
Login to WLC web interface https://wlc.demo.local as admin/ISEisC00L to review the WLAN
and ACLs used in this exercise.
a. WLAN: ##-wpa2e
b. ACLs: BLACKLIST, PERMIT-ALL-TRAFFIC, PERMIT-2-ISE-a-DNS and PERMIT-2-ISEa-DNS-a-INTERNET
Note: The # in ##-wpa2e is to be replaced with the assigned pod number; e.g. 01-wpa2e for POD1
Note: PERMIT-2-ISE-a-DNS has access entries to permit DNS as it appears blocked otherwise.
Step 2
Update the authorization profile Blackhole_Wireless_Access under Policy > Policy Elements
> Results > Authorization > Authorization Profiles.
a. Replace the value for url-redirect-acl BLACKHOLE in the 2nd cisco-av-pair with
BLACKLIST.
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect=https://ip:port/mydevices/blackhole.jsp
cisco-av-pair = url-redirect-acl= BLACKLIST
Note: The right-hand-side value for url-redirect-acl has to match an ACL name defined in WLC
b. Save changes
Page 23 of 25
Lab Exercise 5: Test and Verify the Lost function on My Devices Portal
Step 3
Go to the My Devices Portal http://mydevices.demo.local and inspect the endpoint registration

states. Login as employee1/ISEisC00L if the portal session expires.
The initial state of the device is as shown below.
Step 4
Select your iPAD and then click Lost? for the iPad. The device will now be blocked from
accessing the network. Note the icon change under the State.
Step 5
From the VNC session to the IPad, switch to the mobile Safari app. Reload the page wwwint.demo.local and the user will see a message similar to below.
Step 6
Under Operations > RADIUS Livelog, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Lost then a reauthorization matches the device to
the Blackhole_Wireless_Access profile
Step 7
Back to My Devices Portal and click Reinstate. The iPad should now be allowed to the network.
Notice the change in the icon under State.
Step 8
The Live Authentications logs should show an entry Dynamic Authorization (CoA) succeeded
followed by a re-authentication, which put the device in PermitAccess profile.
Step 9
On iPad, again try to access portal.demo.local. The website should now be accessible.
Step 10
On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn off the Wi-Fi

Page 24 of 25
Lab Exercise 6: Test and Verify the Stolen function on My Devices Portal
Lab Exercise 6: Test and Verify the Stolen

function on My Devices Portal
This exercise will show you the device self-management features of Cisco ISE.
You will simulate your iPad to be stolen and performing a Stolen action on the device. Stolen will
revoke the certificates and the employer will need to go through the BYOD process if the device
is found again.
Exercise Objective
In this exercise, your goal is to complete the following task:
Step 1
From the My Devices Portal initiate the Stolen action on the device to observe the Change of
Authorization (CoA) occur and the certificates being revoked for the device
Perform Stolen
a. From the iPad VNC session, verify iPad Wi-Fi is ON and connected to ##-wpa2e
b. Go to My Devices Portal, select the iPAD and click Stolen for the iPad. Accept the
warning and say Yes. The device will now be blocked from accessing the network.
Step 2
On ISE, verify under Administration > Certificates > Certificate Management > Endpoint
Certificates that the certificate is also revoked.
Step 3
From the VNC session to the IPad, notice that the device is no longer connected to the network.
Step 4
Under Operations > RADIUS > Live Logs, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Stolen then a reauthorization occurs which make
the authentication fail and go to the Default Policy which denies access. Depending on the
timing and OCSP cache time to live setting, the endpoint might get blacklisted first.
Step 5
Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c.
Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
d. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.

End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.
Page 25 of 25

Iser Lab For BYOD

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Iser Lab For BYOD

Încărcat de

Drepturi de autor:

Formate disponibile

Lab Overview

Cisco ISE BYOD Lab Guide

Lab Exercise 1 : ISE Internal CA for BYOD certificate provisioning

Product Overview: ISE

Product Overview: ISE

Lab IP and VLANs

Lab IP and VLANs

Access Switch (3650)

Wireless LAN Controller (virtual)

Wireless Access Point (varied)

Admin (Management) Client

(also FTP Server)

Internal VLANs and IP Subnets

Authenticated users or access network using ACLs

Microsoft machine-authenticated devices (L3 segmentation)

Interconnect subnet between ASA and Access switch

Unauthenticated or non-compliant devices (L3 segmention)

Network for authenticated and compliant guest users

AD domains lab.local and sam.lab.local

Network services (AAA, AD, DNS, DHCP, etc.)

Line-of-business Web servers

Connecting to Lab Devices

Accounts and Passwords

Access Switch (3650)

Wireless LAN Controller (virtual)

Admin (Management) Client

Connecting to Lab Devices

Launch the Remote Desktop application on your system.

Connect to ESX Server Virtual Machines

Click OK when the VMware vSphere Client starts.

You have the ability to power on, power off, or

Connecting to Lab Devices

Connect to Lab Device Command-Line Terminal

To access the lab switches and ISE servers using SSH:

Pre-Lab Setup Instructions

Pre-Lab Setup Instructions

From the admin PC desktop, launch Firefox and browse to http://tools.demo.local/ping/byod.txt.

Launch PingInfoView by double-clicking its shortcut on the desktop.

Controlling iPad via VNC Client

Lightweight Access Point (LAP) Associated to Wireless LAN

how long WLC has been up.

zero or NO access point associated.

WLC by navigating to COMMANDS Reboot

Pre-Lab Setup Instructions

Basic ISE Configuration

Access the ISE administrative web interface.

Note: Accept/Confirm any browser certificate warnings if present.

Login with username admin and password ISEisC00L

In Join Domain pop-up window, fill in

d. Click OK to start the join operation.

g. Click on the Groups tab to view the pre-defined groups.

Using Browser (FireFox), Navigate to https://wlc.demo.local/. Log-in using Credential

and then SSID number 1

Click the CheckBox Status

Lab Exercise 1: ISE Internal CA for BYOD certificate provisioning

Lab Exercise 1: ISE Internal CA for BYOD

Verify Internal Certificate Authority is running and is operational

Review a default certificate template for provisioning BYOD devices.

Lab Exercise 1: ISE Internal CA for BYOD certificate provisioning

End of Exercise: You have successfully completed this exercise.

Lab Exercise 2: Configure ISE for Single SSID Wireless BYOD

Lab Exercise 2: Configure ISE for Single SSID

Verify the Network Access Device configuration of the WLC