- CISCO ISE 2.4 POLICY SETS INSTALL
- CISCO ISE 2.4 POLICY SETS FULL
- CISCO ISE 2.4 POLICY SETS REGISTRATION
- CISCO ISE 2.4 POLICY SETS CODE
- CISCO ISE 2.4 POLICY SETS PASSWORD
I have recently had the opportunity to get my hands on a shiny new Cisco DNA Center appliance and some sexy new Catalyst 9K switches. There are a lot of moving parts required for SDA (Software Defined Access) to function and I am not yet convinced that the benefits outweigh the cost and complexity of the architecture for small – medium sized networks.
CISCO ISE 2.4 POLICY SETS FULL
I successfully logged onto the network with full access.īottom log entry is where I hit the redirect (default rule).Įntries above that show my device hitting full access.Cisco’s latest marketing push around intent based networking looks very interesting but I am curious to see what the uptake is like over the next 12 to 18 months.I reconnected to the SecDemo-iPSK network but this time used my personal passphrase that was assigned.I closed out of the portal, went into my phone settings, and forgot the wireless network.Clicking submit took me to a screen showing my personal passphrase for the connection.This includes the MAC address of my device. After typing in my credentials and logging in, I was presented with a screen showing my information.I initially hit the default authorization which led me to be redirected to the iPSK portal.My mobile phone connected to the SecDemo-iPSK SSID using the default LetMeIn! passphrase.If the device fails any of those checks, the default rule will redirect them to the iPSK portal to register the device. The authorization policy is configured to authorize the device if it exist in the iPSK database, the correct PSK was used, and the account is not expired. I then finished out the installation guide steps including restarting the Apache service and connecting to the iPSK admin web GUI. SSLCertificateChainFile /etc/apache2/ssl/secdemoca.crt SSLCertificateKeyFile /etc/ssl/private/ipsk.key SSLCertificateFile /etc/ssl/certs/ipsk.crt Since I am not using a self signed certificate, steps 10a and 10b were modified with the following information: Created the file for my root CA after downloading a copy, editing with a text editor, copy all contents, and pasting to the new file created (ie secdemoca.crt).Created the ssl directory in /etc/apache2.The contents of the certificate file I copied in step 3 were pasted into this file. Back on the server, I browsed to /etc/ssl/certs and created the file ipsk.crt.Once the new certificate was issued, open it with a text editor and copy all of the contents.
Be sure to copy all of the contents including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines.
I wanted to utilize my internal domain CA for this set up but a 3rd party CA would be ideal so that the guest endpoints would trust the certificate on the iPSK portal. I didn’t want to use a self signed certificate on my Apache node (Ubuntu Server 18.04).
CISCO ISE 2.4 POLICY SETS CODE
NOTE: iPSK is not supported in FlexConnect environments running WLC code below 8.5. I will be following the installation guide I linked to above for the most part but will note differences below. There will also be a portal where users can register endpoints (ie wireless printer) without having to go through the provisioning flow. This redirection will enable them to register the device with iPSK which in turn will register them with the ISE deployment.
CISCO ISE 2.4 POLICY SETS REGISTRATION
The endpoint will be redirected to a registration portal if they instead present the default PSK passphrase. In this write-up, the endpoint must present the correct PSK tied to the MAC address.
CISCO ISE 2.4 POLICY SETS INSTALL
There is no need for them to install certificates or any other network supplicant. Why would you use this instead of the BYOD provisioning or the My Devices portal already built into ISE? A few reasons stand out.
CISCO ISE 2.4 POLICY SETS PASSWORD
When ISE authorizes the connection, a unique password will be returned to the WLC that must match what is presented by the client. Cisco ISE will be used to authenticate the endpoint based on the MAC address. What is iPSK? Identity PSKs are used to assign a unique PSK to an endpoint so that only the registered endpoint can utilize that password when connecting to a WPA2 network. The iPSK (Identity Pre-Shared-Key) Manager portal server for ISE is a free utility that can be used to create iPSK accounts.