The authentication policy for wireless networks using MAB is explained in the previous section. This section explains the authentication policy for wireless medium using dot1X protocol, as shown in Table Figure shows how these rules were configured on the ISE for this design guide. Once the ISE classifies the client machine, it uses client provisioning resource policies to ensure that the client is configured with an appropriate agent version, up-to-date compliance modules and correct agent customization packages and profiles, if necessary.
|Published (Last):||5 October 2019|
|PDF File Size:||9.55 Mb|
|ePub File Size:||1.13 Mb|
|Price:||Free* [*Free Regsitration Required]|
At the branch—The endpoint receives an IP address from a DHCP scope at the branch and the provisioning traffic uses the switching and WAN infrastructure for connectivity to data center resources. The FlexConnect Local Switching setting is disabled for central switching provisioning. The FlexConnect Local Switching is enabled for local switching provisioning.
Access to Google Play. Note The purpose of the ACL shown above is to provide an example that network administrators can use to deploy in the network. The Google and Apple app stores may change their addresses, so it is advisable to validate those addresses before deploying the ACL. There are some considerations that should be taken into consideration while deploying a Single SSID solution: 1.
Since the authentication method is PEAP, the user is expected to enter the AD credentials before the registration process can begin.
In the PEAP protocol, the server presents its identity certificate to the end user. In this design, ISE presents its identity certificate to the endpoint. Some endpoints may reject the certificate if the root certificate is not present in their list of trusted providers. Hence, this presents a chicken-and-egg problem.
To prevent this from happening the ISE identity certificate must be signed by a third-party trusted provider such as VeriSign. If the above cannot be done, then it is better to deploy dual SSID design. Figure shows the setting for an access point in Branch1. FlexConnect Groups are explained in the next section. This is particularly helpful when grouping several FlexConnect access points in remote or branch locations.
Instead of configuring each access point separately, FlexConnect groups allow the configuration parameters to be applied to all access points at once. For the purpose of this guide, a unique FlexConnect group was defined for each branch, as shown in Figure Starting on WLC release 7. Figure shows the different configuration settings required to dynamically assign endpoints to a branch VLAN, which include: The WLAN at the branch configured for local switching mode.
Cisco ISE for BYOD and Secure Unified Access, 2nd Edition
Cisco ISE for BYOD and Secure Unified Access
Cisco Unified Access (UA) and Bring Your Own Device (BYOD) CVD