Professional Documents
Culture Documents
Lab Overview
This lab is designed to help attendees understand how to deploy Cisco Identity Services Engine (ISE) in a
Bring Your Own Device (BYOD) environment. This lab covers the configuration of Cisco ISE 1.2 to
rd
address the common requirements for BYOD and Integration with 3 party MDM servers. Students will be
introduced to the ISE My Devices Portal, which enables employees to self-manage their devices.
Students will experience ISE dual-SSID onboarding configuration and optional single-SSID configuration
to provision an Apple iPad. The students will learn how to manage their own devices in the My Devices
Portal by testing the blacklist and corporate wipe feature. The BYOD feature of ISE 1.2 requires an
Advanced License.
Lab participants should be able to complete the lab within the allotted time of 3 hours.
Lab Exercises
This lab guide includes the following exercises:
Lab Exercise 1 : Configure My Devices Portal on ISE
Lab Exercise 2 : Configure ISE for Single SSID Wireless BYOD configuration
Lab Exercise 3 : Test and Verify the onboarding of a non-corporate Apple iPad
Lab Exercise 4 : Test and Verify the Device Blacklisting function of My Devices Portal
Lab Exercise 5 : Configure ISE for 3rd Party MDM integration.
Lab Exercise 6 : MDM policy configuration on 3rd Party MDM Server.
rd
Lab Exercise 7 : Test and Verify 3 party MDM integration onboarding of a non-corporate Apple iPad
Lab Exercise 8 : Test and Verify the Corporate Wipe function on My Devices Portal
Lab Topology
100 Management 10.1.100.0/24 Network services (AAA, AD, DNS, DHCP, etc.)
Note: Dedicated VLANs have been preconfigured for optional access policy assignments based on user identity,
profiling, or compliance status. These VLANs include MACHINE, QUARANTINE, and GUEST. The labs will
focus on the use of downloadable ACLs (dACLs) rather than VLAN assignment for policy enforcement.
Note: Admin PC access is through RDP, therefore you must have an RDP client installed on your computer
Connect to a POD
Step 1 Launch the Remote Desktop application on your system.
a. In the LabOps student portal, click on the Topology tab
b. Click on the Admin PC, and then click on the RDP Client option that appears.
c. Clicking on this option should launch your RDP client and connect you to the Admin PC.
Login as admin / ISEisC00L
Note: All lab configurations can be performed from the Admin client PC.
Step 1 From the Admin client PC, click the VMware vSphere Client icon on the desktop
Step 3 You have the ability to power on, power off, or open the console (view) these VMs. To do so,
place the mouse cursor over VM name in the left-hand pane and right-click to select one of
these options:
Step 4 To access the VM console, select Open Console from the drop-down.
Step 6 For this lab ensure that the following VMs are up and running.
p##_ad
p##_ise-1-base
p##_lob-web
p##_mobileiron
p##_w7pc-guest
## is the pod number that you are assigned to. E.g., For POD 2, p##_ad would be p02_ad. The
VM w7pc-guest may be power on manually during the exercises.
a. From the Admin client PC, the PUTTY shortcut is on the taskbar. Click on the PuTTY
shortcut from the taskbar and it shows a list of devices and ISE servers.
b. Select the device that youd like to log into and double click on it.
c. If prompted, click Yes to cache the server host key and to continue login.
d. Login using the credentials listed in the Accounts and Passwords table.
Verify that ping succeeds for all devices tested by the script.
Note: Failure of lob-db to respond to ping is fine for this lab.
Note: If the join fails due to clock skew, use putty ssh to ise-1 admin CLI and issue show ntp and show clock to check if the ntp
service is working. The ntp service may be corrected by a reboot of ise-1 or a reset the VM.
WLC Configuration
Step 1 Load WLC configuration for the lab
a. Login to WLC web interface https://wlc.demo.local as admin / ISEisC00L
b. Navigate to the top menu COMMANDS. Then, choose Download File from the left panel.
c. In Download file to Controller page, fill in the form as below:
File Type Configuration
Configuration File Encryption (unchecked)
Transfer Mode FTP
Server Details
IP Address 10.1.100.6
File Path /
File Name p##-wlc-4hr.txt
Server Login Username ftp
Server Login Password ftp
Server Port Number 21
Note: The ## in p##-wlc-4hr.txt is two-digit to be replaced with the assigned pod number; e.g. p02-wlc-4hr.txt for Pod 02.
Note: The ftp server is the admin PC itself. The wlc configuration file is in the folder C:\inetpub\ftproot\.
d. Click on the button Download to start the file transfer. The following will pop-up after the
clicking the Download button.
Click OK.
e. Wait for transfer to finish and reset to complete.
Note: WLC will reset after downloading configuration from an external file server. During the reset, use ping t wlc to monitor.
Step 5 Click
Step 6 Repeat step 3 to step 5 for SSID number 10
Exercise Description
This lab covers the ISE configuration requirements to enable and customize the My Devices
Portal. The My Devices Portal allows employees to manage the devices that they themselves
have on-boarded to the corporate network. Employees can add devices directly in this portal.
Employees can mark any device in their own lists as lost, which prevents others from
unauthorized network access when using the stolen device. Employees can reinstate a
blacklisted device in the My Devices Portal to grant it network access without re-registration.
Employees can also take any of their devices off the list temporarily, and later register them back
for network access.
Exercise Objective
In this exercise, your goal is to familiarize with and configure the My Devices Portal on ISE. This
includes completion of the following tasks:
b. Login with username admin and password ISEisC00L. The ISE Dashboard should display.
Navigate the interface using the multi-level menus.
Note: By default, the friendly URL is not enabled. Its preconfigured here in interest of time and avoiding a restart of ISE services. In
this setup, mydevices.demo.local is aliased to ise-1.demo.local in DNS.
b. Go to Administration > Identity Management > Identity Source Sequences. Edit the
MyDevices_Portal_Sequence and select demoAD as the only identity source in the list of
Authentication Search List. Save once completed.
Step 9 Finally, verify My Devices Portal is working with the configured settings.
a. From the web browser, access http://mydevices.demo.local
Note: Please accept/confirm any browser certificate warnings if present, which mostly due to the browser not trusting the root CA
certificate that signs the SSL server certificate of the ISE.
c. There will be options available to add devices but do not add any devices at this time. This
will be performed in later lab exercises.
You are now familiar with the look-and-feel of My Devices Portal. You will use this portal in subsequent exercises.
Exercise Description
This exercise will show how to configure ISE for BYOD wireless deployment where only one
wireless SSID is required. Firstly you will confirm SSID settings on the Cisco WLC. Next you will
learn how to configure profiles for the SCEP CA and the Certificate Authentication Profile. Cisco
ISE uses Simple Certificate Enrollment Protocol (SCEP) to support the secure issuance of
certificates to network devices in a scalable manner. The SCEP in this lab is Microsoft Network
Device Enrollment Service on Windows Server 2008 R2 Enterprise. You will also learn how to
configure a client provisioning policy on Cisco ISE to allow the native supplicant provisioning.
Exercise Objective
In this exercise, your goal is to configure ISE for single SSID Wireless BYOD, which includes the
completion of the following tasks in ISE:
Modify the Authentication Policy to accept 802.1X authentication from wireless access
devices with EAP-TLS or PEAP(EAP-MSCHAPv2) protocols.
Modify the Authorization Policy to allow registration as well as supplicant provisioning and
to grant full access to registered devices.
Step 1 Open a new tab on the web browser and access the ISE administration web interface at
https://ise-1.demo.local using the credentials admin / ISEisC00L
Step 2 Verify that the Wireless LAN Controller configured as a Network Access Device in ISE.
a. Navigate to Administration > Network Resources > Network Devices
b. Under Network Devices in the right-hand panel, select wlc.
c. This network device is preconfigured with the values shown in the following table:
Attribute Value
Name wlc
Description -
IP Address 10.1.100.61 / 32
Model Name -
Software Version -
Device Type WLC
Location GOLD-Lab
Authentication Settings
Protocol RADIUS
Shared Secret ISEisC00L
Note: If this fails, please ask the proctor to check on the ad server VM.
MSCEP is hosted on the Microsoft AD Server in this lab. The Proctor can either stop and start service (NDES) or restart the AD VM
(Power-off & Power-on)
Note: When using this identity source sequence in EAP-TLS authentications, it will pick the certificate authentication profile. In
password-based authentications, it will use the other identity sources in the authentication search list.
Step 6 Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols, create a
new entry with the name PEAP_o_TLS and allow only two protocols:
a. EAP-TLS
b. PEAP with inner method EAP-MS-
CHAPv2
c. Click Submit to save changes
Below shows the resulting authentication policy. The modified objects are highlighted in Yellow.
Status Name Condition Protocols Identity Source Options
MAB IF Wired_MAB allow Default Network Access and use Internal Endpoints Reject
OR protocols Reject
Wireless_MAB Drop
Dot1X IF Wired_802.1X allow PEAP_o_TLS and use DOT1X_Sequence Reject
OR protocols Reject
Wireless_802.1X Drop
Default Rule allow Default Network Access and use DenyAccess Reject
(if no match) protocols Reject
Drop
c. Click Save.
Step 8 Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Create
two Authorization Profiles that will be used in the Authorization Policy one for full network
access and the other dedicated to supplicant provisioning.
a. Authorization Profile for allowing Full Network Access
Attribute Value
Name WLC_FullAccess
Description --
Access Type ACCESS_ACCEPT
Common Tasks
Airespace ACL Name PERMIT-ALL-TRAFFIC
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = PERMIT-ALL-TRAFFIC
Click Submit to save the changes.
PERMIT-ALL-TRAFFIC is a
named ACL defined at WLC,
that allows all IP traffic.
PERMIT-2-ISE-a-DNS is
another named ACL at
WLC. It permits limited
accesses to ISE and DNS
only.
Step 9 Next, add two Authorization Policy rules under Policy > Authorization as shown below the
Rule Name Reg with ISE TLS and Employee Personal Device. Also, set the Default rule to
DenyAccess.
Note: Identity Group RegisteredDevices is one of the Endpoint Identity Groups.
Note: To insert a new authorization rule, click Edit in the right end of a rule and
choose from the drop-down option menu.
Then, pick Add Attribute/Value for more of such conditions in the same rule.
Step 10 Go to Policy > Client Provisioning and create a new rule which will look like the following:
Identity Operating Other
Status Rule Name Results
Groups Systems Conditions
Apple iOS Any Apple iOS All - iOS_WPA2e_TLS
Create a new Native Supplicant Profile in-line from within the Results cell.
Notes: SSID value is case-sensitive and needs to be exactly the same as the one defined in the WLC. To avoid
any typos, copy the SSID name from the WLC and paste it onto the ISE GUI.
To find SSID for your POD, Go to admin PC, launch a browser and login onto WLC (https://wlc.demo.local) with
Username = admin and Password = ISEisC00L.
Click and then copy the name of the Secure SSID e.g. n-p##-TS-WPA2e. If SSID is disabled,
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Connect to the iPad via VNC to test the wireless BYOD feature
Connect the iPad to the corporate SSID and check the onboarding of Apple iPad and
installation of the profiles for the native supplicant for the corporate user
Step 1 Click on the short-cut VNC-to-iPad on the taskbar to start a VNC session to the iPad.
Step 2 Press any key to continue, once prompted to do so.
Tips on controlling the iPad UI via VNC client:
Home: (On PC/Mac with 2/3-button mouse) Right click once with a mouse. (On Mac with track pad) Touch with two fingers on
the Track Pad If Secondary Click is configured.
Mouse: Mouse pointer mimics touching the iPad screen with one finger.
Scrolling or dragging: Press and hold Left mouse button and move the mouse pointer to scroll
Keyboard: Move the pointer over any text box on the iPad, click once, and then begin using your local keyboard for input.
Note: The tab key is not available on the iPads virtual keyboard so you will have to move the pointer to the text field you want
to input text, and click on it.
Step 3 On the iPad, navigate to Settings > General > Profiles. Remove any existing profiles, if
present.
Note: If no profiles, you might not see the profiles menu option.
Step 4 Next on the iPad, go to Settings > Safari and hit Clear History as well as Clear Cookies and
Data.
Step 5 Go to Settings > Wi-Fi and slide the virtual switch to enable Wi-Fi. Select and connect to the
network n-p##-TS-WPA2e
a. Enter the username/password AD credentials (employee1 / ISEisC00L) and click Join
b. Click to Accept the certificate.
Note: This certificate with a subject name aaa.demo.local shown as the certificate subject, it is a wild-cart certificate.
Note: Apple iOS prompts for the RADIUS server EAP-TLS certificate because it sees the certificate the first time and an ad-hoc
connection.
c. Next click on the blue arrow of the connected network and verify the IP address assigned
Note: IP address for iPAD might be different depending on the DHCP scopes in the POD, iPAD might get an IP address from
10.1.10.x subnet which is OK.
Step 6 Now launch the mobile Safari app and access the website www-int.demo.local.
You will receive a warning Cannot Verify Server Identity. Click Continue then be redirected to
the self-provisioning page.
Note: If a red error shown and the Register button is grey out, check if a Client Provisioning Policy rule has been created for the
Apple iOS (Policy > Client Provisioning).
Also, run a Supplicant Provisioning Report (Operations > Reports > Endpoints and Users > Supplicant Provisioning > Run)
When prompted to install the CA certificate that signed the SSL server certificate of ISE, click
Install.
Notes: iOS_WPA2e_TLS is the name of the supplicant profile created in Step 10 of Exercise 2.
Step 12 Check the live authentication logs on ISE admin web console (Operations > Authentications)
to verify that the correct authorization profiles were applied. The sequence will look similar to the
following. Initially, the device will be authorized for WLC_SupplicantProvisioning. Once the
provision is done, another authentication occurs and the WLC_FullAccess profile will be applied.
Note: For detailed troubleshooting, enable DEBUG logging for relevant components -- client, guest and provisioning.
(Admin>System>Logging>Debug Log > Conifg)
Step 13 Go to the My Devices Portal http://mydevices.demo.local and inspect the endpoint registration
states. Login as employee1 / ISEisC00L if the portal session expires.
a. The initial state of the device is Pending as shown below.
b. Once the newly installed Wi-Fi profile authenticates the device to the
network, this state will move to Registered.
This transition may take up to 20 minutes or not occur at all due to bug CSCtx94533
Exercise Description
This exercise will show you the device self-management features of Cisco ISE.
You will simulate loosing your iPad and blacklisting the device as lost. Blacklisting the device
prevents it from being misused on the corporate network. Cisco ISE uses RADIUS CoA
messaging to interact with network access devices in enforcing restrictions on the user self-
provisioned device.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Customize the Authorization Profile to Blacklist wireless endpoints
From the My Devices Portal mark the device as Lost to observe the Change of Authorization
(CoA) occur and restrict access from the device
When the device is reinstated on the My Devices Portal, Change of Authorization is again
triggered and the device should now be given a full network access
Step 1 Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin / ISEisC00L to review the WLAN (menu WLANs) and ACLs
(menu SECURITY; side Access Control List > Access Control List) used in this exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and BLACKHOLE
Note: The # in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS-WPA2e
Step 2 Go to My Devices Portal. Select the iPad and click Lost?. The device will now
be blocked from accessing the network. Note the icon change under the State.
Step 4 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Lost then a reauthorization matches the device to
the BlackList_Wireless_Access profile
Step 6 The Live Authentications logs should show an entry Dynamic Authorization (CoA) succeeded
followed by a re-authentication, which put the device in WLC_FullAccess profile.
Step 7 On iPad, again try to access www-int.demo.local. The website should now be accessible.
Step 8 On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn off Wi-Fi.
End of Exercise: You have successfully completed this exercise.
Proceed to next section.
rd
This lab covers the ISE configuration requirements to enable ISE integration with 3 Party MDM servers.
Mobile Device Management (MDM) software secures, monitors, manages and supports mobile devices
deployed across mobile operators, service providers and enterprises. A typical MDM product consists of a
policy server and an inline enforcement point that controls the use of applications (e.g. email) on a mobile
device in the deployed environment. Today Cisco Identity Services Engine (ISE) is the only entity that can
provide granular access to endpoints (based on ACLs, trust sec SGTs etc). In this integration, ISE-
enabled network is the enforcement point while the MDM policy server serves as the policy decision
point. ISE expects specific data from MDM servers to provide a complete solution
MDM Servers can be used as a cloud service or installed locally on premises. Once the installation, basic
setup and compliance checks are configured on the MDM server, it can then be added to ISE
Exercise Objective
rd
In this exercise student will add 3 party MDM server in to ISE and then configure ISE authorization
polices to use MDM attributes.
The diagram below shows the main steps in configuring MDM Integration.
Go to Administration > System > Certificates > Certificate Store and verify that the Mobile Iron
Certificate is in Certificate Store as shown below.
Step 2 Add MDM Server, Go to Administration > Network Resources > MDM. Click Add, to add the
MDM server. Enter MDM Server details as below with credentials User name: admin
Password: ISEisC00L
Make sure that select the checkbox against Enable for the server to be enabled after adding.
Step 5 Review the MDM dictionaries. Once the MDM server is added, the supported dictionaries show-
up on ISE, which could be later used in to ISE Authorization Policies. Go to Policy > Policy
Elements > Dictionaries > System > MDM > Dictionary Attributes and review all the
available attributes.
Step 6 Log on to the WLC. Navigate to Security > Access Control Lists > Access Control Lists.
Verify the ACL named MDM_Quarantine_ACL present on the Wireless LAN Controller. This
ACL was used in policy earlier to redirect clients selected for BYOD supplicant provisioning,
Certificate provisioning and will also be used for MDM Quarantine.
Step 7 Configure ISE Authorization Policies. Once MDM server is added in to ISE, we can configure
authorization polices in ISE to leverage the new dictionaries added for MDM servers.
a. Create an Authorization Profile named MDM_Quarantine for devices which are not in
compliant to MDM polices. In this case all non-compliant devices will be redirected to ISE
and presented with a message
b. Go to Policy > Policy Elements > Results > Authorization > Authorization Profiles and
Click on Add to add the MDM_Quarantine as below :
c. Update the two policy rules (Reg with ISE TLS and its duplicate) as defined below, in turn:
Reg with ISE and MDM comp Once the device is registered with both ISE and MDM, and is in
compliance to MDM policies, it will be granted full access to the network.
Reg with ISE NOT MDM This Authorization Rule is added for devices which are registered with ISE but
either not yet with an MDM server or not in compliant to MDM policies. Once the device hits this rule, it
will be forwarded to ISE MDM landing page. If not yet registered with MDM, the Register button is
shown. If already registered but not yet compliant, it will inform the user about the compliance failure.
Note: Use Duplicate Above/Below to speed up creating rules with similar conditions.
Do not forget to Save all the changes after updating the Authorization Policy rules.
Exercise Description
This exercise will review MobileIron Policy Configuration for the corporate compliance policies
rd
Note: Please DO NOT change any policies on the 3 party MDM server as this could leave the iPAD in an unusable state
Exercise Objective
In this exercise, your goal is to familiarize and review configuration of the MobileIron Server for
the corporate policies. This includes completion of the following tasks:
Verify admin account privileges for REST API, i.e. account used by ISE to send a REST
API call to MobileIron Server
b. Login with username admin and password ISEisC00L. Once you login, the USER &
DEVICES tab should display.
c. Navigate to USERS & DEVICES > User Management. From there, click the checkbox
before employee1 user and click on Assign Roles.
d. Notice that API check box is NOT selected for the user
Note: The current version of AnyConnect is not compatible with iPad 1 in the pod, so AnyConnect cannot be enforced here.
rd
You are now familiar with the basic configurations of 3 -Party MDM server - MobileIron. You will use them in subsequent exercises.
The Apple iPad you will be using is controlled remotely using VNC over the USB port of the admin PC. Due to configuration and
limitations of remotely controlling an interactive device like the iPad in a lab environment please do not deviate from the
exercise steps. Any deviation may result in losing connectivity to the iPad, which will need physical / manual resetting and
prevent you from experiencing the full potential of the lab.
Thank you for your cooperation.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
rd
Complete device enrollment with 3 party MDM, install corporate application
Step 1 On iPad, go to Settings > Wi-Fi and slide the virtual switch to turn on Wi-Fi.
Note-1: If the VNC to iPad is closed then, click on the short-cut VNC-to-iPad on the taskbar to restart a VNC session to the iPad.
Note-2: If the Wi-Fi is not turned off at the end of Lab Exercise 4, first turn it off and remove the client session from the wlc -- Use
the Firefox browser on the admin-PC to go to https://wlc.demo.local, navigate to menu MONITOR > Clients, follow the client mac
address hyperlink to drill into the session, and click the button Remove.
Step 2 Launch the mobile Safari app and access www.google.com. The endpoint will have access as
per Corporate policies, as the iPad has previously registered with ISE in Exercise 3.
Step 3 Now access the website www-int.demo.local (Corporate Resource), since the device is not
enrolled with MDM, as per configured policies the device will be redirected to the page hosted
rd
on ISE to register with 3 Party MDM Server. To simplify end-user-experience, link to the
rd
configured 3 party MDM Server will be presented where user can click on the link to get
redirected to install the MDM client.
Click on the link called Step1: Enroll but do NOT click on the Step 2: Continue button.
rd
Note: In this lab the 3 party MDM agent is already downloaded so, DO NOT click
Go to iPad home screen by right click on iPad, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to the third page on iPad, click on to
launch the MobileIron Agent.
Note: If the third page has no MobileIron, right click once to go back to iPad home screen and right click again to launch
search. Enter MobileIron as the search string to find and launch it.
Step 4 Enter the following values and accept ALL certificates when prompted. If asked for Certificate,
Click Accept since this is the certificate from MobileIron Server to be installed on the iPAD. The
certificate is later used to push MDM profile and Certificates from the MobileIron Server
Attribute Value
User Name employee1
Server mobileiron.demo.local
Password ISEisC00L
Notes: After clicking on Done, STOP and wait for the iPAD to prompt for App Installation. If the
iPAD does not prompt for App Installation please check with the Lab Administrator. This is to test non-
compliance state of the iPAD.
iPAD is now registered with the MobileIron MDM server but is missing the corporate application therefore is NOT
compliant with ISE as per configured Policies.
Step 5 As part of corporate compliance polices, the device needs to have the corporate applications. In
this LAB, MDM server will be pushing the Webex application onto the iPAD.
Step 6 Click on Safari to open the browser and access www-int.demo.local then click the Continue
button so ISE can send a COA-Reauth.
Once ISE sends a successful COA, it will refresh the iPAD browser prompting the
Step 7 Type the original URL in the address bar www-int.demo.local. iPAD is
non-compliant with the corporate polices as its missing the WebEx
application therefore ISE will redirect the user to the MDM non-
compliance page.
The explanation and recommendation text might be different from the
screenshot, depending on the MobileIron VSP server version.
Step 8 Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse
towards your left to Swipe on Screen, this will take you to a new page on iPAD, click on
to launch the MobileIron Agent.
Note: If the page has no MobileIron, right click once to go back to iPad home screen and right click again to launch search. Enter
MobileIron as the search string to find and launch it.
Notes: After clicking on Apps STOP if any of the APP us reported in RED. This means that the MobileIron MDM
Server has NOT received updates from the MobileIron Agent.
Go to iPAD home screen by right click on iPAD, Hold Down the click Key and move the mouse towards your left to
Swipe on Screen, this will take you to a new page on iPAD, click on the MobileIron Agent APP to launch the APP
Click Settings then
Force Device Check-in
Click Check-in
Please note that this might
need to be done multiple times
depending on if the update
from the MobileIron Agent gets
to the MobileIron Server.
Step 14 Look at the live logs on ISE admin web console to verify that the correct authorization profiles
were applied. Initially, the device will be authorized for MDM_Quarantine. Once the provision is
done, another MDM registration process will start where first the user would be requested to
register and then comply with the corporate compliance policies, which would result in another
authentication, and then the WLC_FullAccess profile will be applied.
Exercise Description
This exercise will show you the device self-management features of Cisco ISE.
You will simulate losing your iPad and performing a Corporate Wipe action on the device.
Corporate Wipe will remove all the corporate data. In this case WebEx was pushed as a
corporate application earlier so will be removed. Cisco ISE uses APIs to interact with the MDM
Server in enforcing restrictions on the user self-provisioned device.
Exercise Objective
In this exercise, your goal is to complete the following tasks:
Review the MDM_Quarantine policy that was created earlier
From the My Devices Portal initiate the Corporate Wipe action on the device to observe the
Change of Authorization (CoA) occur and restrict access from the device
Step 1 Refer to Appendix A for the sample WLC configuration. Login to WLC web interface
https://wlc.demo.local as admin / ISEisC00L to review the WLAN (menu WLANs) and ACLs
(menu SECURITY; side Access Control List > Access Control List) used in this exercise.
a. WLAN: n-p##-TS-WPA2e
b. ACLs: PERMIT-ALL-TRAFFIC and MDM_Quarantine_ACL
Note: The ## in n-p##-TS-WPA2e is to be replaced with the assigned pod number; e.g. n-p22-TS -WPA2e for POD 22
Step 2 Review the authorization profile MDM_Quarantine under Policy > Policy Elements > Results
> Authorization > Authorization Profiles.
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=mdm
cisco-av-pair = url-redirect-acl=MDM_Quarantine_ACL
Notes: Due to possible Race Condition (CSCui00582), ISE does not send a CoA to the controller after
initiating the Corporate WIPE. Please initiate a CoA from ISE Live Session Logs or toggle WiFi to see the
change in authorization policy rule.
OR
Step 4 From the VNC session to the IPad, switch to the mobile Safari app. Reload the page www-
int.demo.local and the user will see a message
You must enroll your device
Step 5 Under Operations > Authentications, review the Live Logs. It will show that a Dynamic
Authorization is triggered after the device is Corporate-Wiped then a reauthorization matches
the device to the MDM_Quarantine profile
Step 6 Clean up iPad and turn off wireless to get ready for next exercise
a. Close all browser tabs.
b. Go to Settings > Wi-Fi and slide the virtual switch to disable Wi-Fi.
c. Remove the two profiles installed by the ISE BYOD services on iPad under Settings >
General > Profiles.
d. Go to Settings > Safari and hit Clear History as well as Clear Cookies and Data.
End of Exercise: You have successfully completed this exercise.
Proceed to next section.
Exercise Description
This exercise showcases flexibility of Cisco ISE where an employee may provision a personal PC
onto a wired network.
Exercise Objective
In this exercise, your goal is to configure the ISE for wired MAB-to-PEAP BYOD, which includes
the completion of the following tasks in ISE:
Modify the Authorization Policy to allow CWA. Then, grant full access to the users
authenticated using MSCHAPv2 and on registered devices.
Step 1 Access the ISE web administration interface at https://ise-1.demo.local using the credentials
admin / ISEisC00L
Step 2 Update Guest_Portal_Sequence
a. Go to Administration > Identity Management > Identity Source Sequences
b. Edit Guest_Portal_Sequence to use demoAD in its Authentication Search list.
Step 4 Modify the Authentication Policy under Policy > Authentication as shown below in Yellow
Status Name Condition Protocols Identity Source Options
MAB IF Wired_MAB allow HostLookup_only and use Internal Endpoints Reject
OR protocols Continue
Wireless_MAB Drop
Dot1X IF Wired_802.1X allow PEAP_o_TLS and use DOT1X_Sequence Reject
OR protocols Reject
Wireless_802.1X Drop
Default Rule allow Default Network Access and use DenyAccess Reject
(if no match) protocols Reject
Drop
a. Go to Policy > Client Provisioning Policy and add a rule for Windows PC.
Identity Operating
Status Rule Name Other Conditions Results
Groups Systems
Apple iOS Any Mac iOS All - iOS_WPA2_TLS
b. Under Native Supplicant Configuration, expand the cell results to create the following two
resources inline
I. Config Wizard
a) Download the wizard bundle from the following location on the admin PCs
http://tools.demo.local/cp/win_spw-1.0.0.34-isebundle.zip
Note: To in-line create Config Wizard and Wizard Profile, click on the gear icon
Note: Select the option Upload Resource for Config Wizard.
b) Upload the download from (a) to ISE. The upload is saved as WinSPWizard
1.0.0.n.
Note: This employs the offline-upload method for a
wizard resource, such as win_spw-n.n.n.n-isebundle.zip.
Such offline bundle files will be in the CCO download
location for ISE. Alternatively, the resources can be
fetched online from the Client Provisioning update feed, if
the ISE has accesses to the feed URL.
c. After both the Profile and the Config Wizard are created, reselect them as the results and
Save the changes.
Note: The inline creation and Save only saves the newly created Wizard Profile and not the new policy. Hence, first "Save changes
for the new Wizard Profile or Config Wizard and then Save changes again for the new Client Provisioning Policy".
Step 1 From the Admin PC, using PUTTY, connect to the 3k-access using the credentials admin/
ISEisC00L
Issue the following CLI commands to bring up interface g0/1:
3k-access#terminal monitor
3k-access#conf t
3k-access(config)#interface GigabitEthernet 0/1
3k-access(config-if)#no shutdown
Step 11 The user now has Full Access. Check the Live logs (under Operations > Authentications) on
ISE to confirm this assignment.
End of Lab: Congratulations! You have successfully completed the lab. Please let your
proctor know you finished and provide any feedback to help improve the lab experience.