Introduction
Mobile devices are becoming more computationally powerful and popular among consumers. Millions of these devices are sold to consumers with high-speed Wi-Fi so users can communicate and collaborate. Consumers are now accustomed to the productivity enhancement these mobile devices bring into their lives and are seeking to bring their personal experience into the workspace. This creates the functionality needs of a Bring Your Own Device (BYOD) solution in the workplace.
This document provides the branch deployment for the BYOD solution. An employee connects to a corporate service set identifier (SSID) with his/her new iPad and gets redirected to a self-registration portal. The Cisco Identity Services Engine (ISE) authenticates the user against the corporate Active Directory (AD) and downloads a certificate with an embedded iPad MAC address and username to the iPad, along with a supplicant profile that enforces the use of the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) as a method for dot1x connectivity. Based on the authorization policy in ISE, the user can then connect with the use of dot1x and gain access to appropriate resources.
ISE functionalities in Cisco Wireless LAN Controller software releases earlier than 7.2.110.0 did not support local switching clients that associate through FlexConnect access points (APs). Release 7.2.110.0 supports these ISE functionalities for FlexConnect APs for local switching and centrally authenticated clients. Furthermore, Release 7.2.110.0 integrated with ISE 1.1.1 provides (but is not limited to) these BYOD solution features for wireless:
- Device profiling and posture
- Device registration and supplicant provisioning
- Onboarding of personal devices (provision iOS or Android devices)
Note: Although supported, other devices, such as PC or Mac wireless laptops and workstations, are not included in this guide.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Catalyst Switchs
- Cisco Wireless LAN (WLAN) Controllers
- Cisco WLAN Controller (WLC) Software Release 7.2.110.0 and later
- 802.11n APs in FlexConnect mode
- Cisco ISE Software Release 1.1.1 and later
- Windows 2008 AD with Certificate Authority (CA)
- DHCP server
- Domain Name System (DNS) server
- Network Time Protocol (NTP)
- Wireless client laptop, smartphone, and tablets (Apple iOS, Android, Windows, and Mac)
Note: Refer to Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 7.2.110.0 for important information about this software release. Log in to the Cisco.com site for the latest release notes before you load and test software.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Topology
A minimal network setup, as shown in this diagram is required in order to properly implement and test these features:
![byod-flexconnect-dg-001.gif byod-flexconnect-dg-001.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-001.gif)
For this simulation, you need a network with a FlexConnect AP, a local/remote site with local DHCP, DNS, the WLC, and the ISE. The FlexConnect AP is connected to a trunk in order to test local switching with multiple VLANs.
Device Registration and Supplicant Provisioning
A device must be registered so that its native supplicant can provisioned for dot1x authentication. Based on the right authentication policy, the user is redirected to the guest page and authenticated by employee credentials. The user sees the device registration page, which asks for their device information. The device provisioning process then begins. If the operating system (OS) is not supported for provisioning, the user is redirected to the Asset Registration Portal in order to mark that device for MAC Authentication Bypass (MAB) access. If the OS is supported, the enrollment process begins and configures the native supplicant of the device for dot1x authentication.
Asset Registration Portal
The Asset Registration Portal is the element of the ISE platform that allows employees to initiate the onboarding of endpoints through an authentication and registration process.
Administrators are able to delete assets from the endpoints identities page. Each employee is able to edit, delete, and blacklist the assets they have registered. Blacklisted endpoints are assigned to a blacklist identity group, and an authorization policy is created in order to prevent network access by blacklisted endpoints.
Self-Registration Portal
In the Central Web Authentication (CWA) flow, employees are redirected to a portal that allows them to enter their credentials, authenticate, and enter the specifics of the particular asset they wish to register. This portal is called the Self Provisioning Portal and is similar to the Device Registration Portal. It allows the employees to enter the MAC address as well as a meaningful escription of the endpoint.
Authentication and Provisioning
Once employees select the Self-Registration Portal, they are challenged to provide a set of valid employee credentials in order to proceed to the provisioning phase. After successful authentication, the endpoint can be provisioned into the endpoints database, and a certificate is generated for the endpoint. A link on the page allows the employee to download the Supplicant Pilot Wizard (SPW).
Note: Refer to the FlexConnect Feature Matrix Cisco article in order to view the latest FlexConnect feature matrix for BYOD.
Provisioning for iOS (iPhone/iPad/iPod)
For EAP-TLS configuration, ISE follows the Apple Over-the-Air (OTA) enrollment process:
- After successful authentication, the evaluation engine evaluates client-provisioning policies, which results in a supplicant profile.
- If the supplicant profile is for the EAP-TLS setting, the OTA process determines whether the ISE is using self-signed or signed by an unknown CA. If one of the conditions is true, the user is asked to download the certificate of either ISE or CA before the enrollment process can begin.
- For other EAP methods, ISE pushes the final profile upon successful authentication.
Provisioning for Android
Because of security considerations, the Android agent must be downloaded from the Android marketplace site and cannot be provisioned from ISE. Cisco uploads a release candidate version of the wizard into the Android marketplace through the Cisco Android marketplace publisher account.
This is the Android provisioning process:
- Cisco uses the Software Development Kit (SDK) in order to create the Android package with a .apk extension.
- Cisco uploads a package into the Android marketplace.
- The user configures the policy in client provisioning with the appropriate parameters.
- After registration of the device, the end user is redirected to the client provisioning service when dot1x authentication fails.
- The provisioning portal page provides a button that redirects user to the Android marketplace portal where they can download the SPW.
- The Cisco SPW is launched and performs provisioning of the supplicant:
- SPW discovers the ISE and downloads the profile from ISE.
- SPW creates a cert/key pair for EAP-TLS.
- SPW makes a Simple Certificate Enrollment Protocol (SCEP) proxy request call to ISE and gets the certificate.
- SPW applies the wireless profiles.
- SPW triggers re-authentication if the profiles are applied successfully.
- SPW exits.
Dual SSID Wireless BYOD Self-Registration
This is the process for dual SSID wireless BYOD self-registration:
- The user associates to the Guest SSID.
- The user opens a browser and is redirected to the ISE CWA Guest Portal.
- The user enters an employee username and password in the Guest Portal.
- ISE authenticates the user, and, based on the fact that they are an employee and not a guest, redirects the user to the Employee Device Registration guest page.
- The MAC address is pre-populated in the Device Registration guest page for the DeviceID. The user enters a description and accepts the Acceptable Use Policy (AUP) if required.
- The user selects Accept and begins to download and install the SPW.
- The supplicant for that user's device is provisioned along with any certificates.
- CoA occurs, and the device reassociates to the corporate SSID (CORP) and authenticates with EAP-TLS (or other authorization method in use for that supplicant).
Single SSID Wireless BYOD Self-Registration
In this scenario, there is a single SSID for corporate access (CORP) that supports both Protected Extensible Authentication Protocol (PEAP) and EAP-TLS. There is no Guest SSID.
This is the process for single SSID wireless BYOD self-registration:
- The user associates to CORP.
- The user enters an employee username and password into the supplicant for the PEAP authentication.
- The ISE authenticates the user, and, based on the PEAP method, provides an authorization policy of accept with redirect to the Employee Device Registration guest page.
- The user opens a browser and is redirected to the Employee Device Registration guest page.
- The MAC address is pre-populated in the Device Registration guest page for the DeviceID. The user enters a description and accepts the AUP.
- The user selects Accept and begins to download and install the SPW.
- The supplicant for that user's device is provisioned along with any certificates.
- CoA occurs, and the device reassociates to the CORP SSID and authenticates with EAP-TLS.
Feature Configuration
Complete these steps in order to begin configuration:
- For this guide, ensure that the WLC version is 7.2.110.0 or later.
![byod-flexconnect-dg-002.gif byod-flexconnect-dg-002.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-002.gif)
- Navigate to Security > RADIUS > Authentication, and add the RADIUS server to the WLC.
![byod-flexconnect-dg-003.gif byod-flexconnect-dg-003.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-003.gif)
- Add the ISE 1.1.1 to the WLC:
- Enter a Shared Secret.
- Set Support for RFC 3576 to Enabled.
![byod-flexconnect-dg-004.gif byod-flexconnect-dg-004.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-004.gif)
- Add the same ISE server as a RADIUS accounting server.
![byod-flexconnect-dg-005.gif byod-flexconnect-dg-005.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-005.gif)
- Create a WLC Pre-Auth ACL to use in the ISE policy later. Navigate to WLC > Security > Access Control Lists > FlexConnect ACLs, and create a new FlexConnect ACL named ACL-REDIRECT (in this example).
![byod-flexconnect-dg-006.gif byod-flexconnect-dg-006.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-006.gif)
- In the ACL rules, permit all traffic to/from the ISE, and permit client traffic during supplicant provisioning.
- For the first rule (sequence 1):
- Set Source to Any.
- Set IP (ISE address)/ Netmask 255.255.255.255.
- Set Action to Permit.
![byod-flexconnect-dg-007.gif byod-flexconnect-dg-007.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-007.gif)
- For the second rule (sequence 2), set source IP (ISE address)/ mask 255.255.255.255 to Any and Action to Permit.
![byod-flexconnect-dg-008.gif byod-flexconnect-dg-008.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-008.gif)
- Create a new FlexConnect Group named Flex1 (in this example):
- Navigate to FlexConnect Group > WebPolicies tab.
- Under the WebPolicy ACL field, click Add, and select ACL-REDIRECT or the FlexConnect ACL created previously.
- Confirm that it populates the WebPolicy Access Control Lists field.
![byod-flexconnect-dg-009.gif byod-flexconnect-dg-009.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-009.gif)
- Click Apply and Save Configuration.
WLAN Configuration
Complete these steps in order to configure the WLAN:
- Create an Open WLAN SSID for the dual SSID example:
- Enter a WLAN name: DemoCWA (in this example).
- Select the Enabled option for Status.
![byod-flexconnect-dg-010.gif byod-flexconnect-dg-010.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-010.gif)
- Navigate to the Security tab > Layer 2 tab, and set these attributes:
- Layer 2 Security: None
- MAC Filtering: Enabled (box is checked)
- Fast Transition: Disabled (box is not checked)
![byod-flexconnect-dg-011.gif byod-flexconnect-dg-011.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-011.gif)
- Go to the AAA Servers tab, and set these attributes:
- Authentication and Account Servers: Enabled
- Server 1: <ISE IP address>
![byod-flexconnect-dg-012.gif byod-flexconnect-dg-012.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-012.gif)
- Scroll down from the AAA Servers tab. Under Authentication priority order for web-auth user, make sure that RADIUS is used for authentication and the others are not used.
![byod-flexconnect-dg-013.gif byod-flexconnect-dg-013.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-013.gif)
- Go to the Advanced tab, and set these attributes:
- Allow AAA Override: Enabled
- NAC State: Radius NAC
![byod-flexconnect-dg-014.gif byod-flexconnect-dg-014.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-014.gif)
Note: RADIUS Network Admission Control (NAC) is not supported when the FlexConnect AP is in disconnected mode. Thus, if the FlexConnect AP is in standalone mode and loses connection to the WLC, all clients are disconnected, and the SSID is no longer advertised.
- Scroll down in the Advanced tab, and set FlexConnect Local Switching to Enabled.
![byod-flexconnect-dg-015.gif byod-flexconnect-dg-015.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-015.gif)
- Click Apply and Save Configuration.
![byod-flexconnect-dg-016.gif byod-flexconnect-dg-016.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-016.gif)
- Create a 802.1X WLAN SSID named Demo1x (in this example) for single and dual SSID scenarios.
![byod-flexconnect-dg-017.gif byod-flexconnect-dg-017.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-017.gif)
- Navigate to the Security tab > Layer 2 tab, and set these attributes:
- Layer 2 Security: WPA+WPA2
- Fast Transition: Disabled (box is not checked)
- Authentication Key Management: 802.lX: Enable
![byod-flexconnect-dg-018.gif byod-flexconnect-dg-018.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-018.gif)
- Go to the Advanced tab, and set these attributes:
- Allow AAA Override: Enabled
- NAC State: Radius NAC
![byod-flexconnect-dg-019.gif byod-flexconnect-dg-019.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-019.gif)
- Scroll down in the Advanced tab, and set FlexConnect Local Switching to Enabled.
![byod-flexconnect-dg-020.gif byod-flexconnect-dg-020.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-020.gif)
- Click Apply and Save Configuration.
![byod-flexconnect-dg-021.gif byod-flexconnect-dg-021.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-021.gif)
- Confirm that both of the new WLANs were created.
![byod-flexconnect-dg-022.gif byod-flexconnect-dg-022.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-022.gif)
FlexConnect AP Configuration
Complete these steps in order to configure the FlexConnect AP:
- Navigate to WLC > Wireless, and click the target FlexConnect AP.
![byod-flexconnect-dg-023.gif byod-flexconnect-dg-023.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-023.gif)
- Click the FlexConnect tab.
![byod-flexconnect-dg-024.gif byod-flexconnect-dg-024.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-024.gif)
- Enable VLAN Support (box is checked), set the Native VLAN ID, and click VLAN Mappings.
![byod-flexconnect-dg-025.gif byod-flexconnect-dg-025.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-025.gif)
- Set the VLAN ID to 21 (in this example) for the SSID for local switching.
![byod-flexconnect-dg-026.gif byod-flexconnect-dg-026.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-026.gif)
- Click Apply and Save Configuration.
ISE Configuration
Complete these steps in order to configure the ISE:
- Log in to the ISE server: <https://ise>.
![byod-flexconnect-dg-027.gif byod-flexconnect-dg-027.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-027.gif)
- Navigate to Administration > Identity Management > External Identity Sources.
![byod-flexconnect-dg-028.gif byod-flexconnect-dg-028.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-028.gif)
- Click Active Directory.
![byod-flexconnect-dg-029.gif byod-flexconnect-dg-029.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-029.gif)
- In the Connection tab:
- Add the Domain Name of corp.rf-demo.com (in this example), and change the Identity Store Name default to AD1.
- Click Save Configuration.
- Click Join, and provide the AD Administrator account username and password required to join.
- The Status must be green. Enable Connected to: (box is checked).
![byod-flexconnect-dg-030.gif byod-flexconnect-dg-030.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-030.gif)
- Perform a basic connection test to the AD with a current domain user.
![byod-flexconnect-dg-031.gif byod-flexconnect-dg-031.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-031.gif)
- If the connection to the AD is successful, a dialog confirms that the password is correct.
![byod-flexconnect-dg-032.gif byod-flexconnect-dg-032.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-032.gif)
- Navigate to Administration > Identity Management > External Identity Sources:
- Click Certificate Authentication Profile.
- Click Add for a new Certificate Authentication Profile (CAP).
![byod-flexconnect-dg-033.gif byod-flexconnect-dg-033.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-033.gif)
- Enter a name of CertAuth (in this example) for the CAP; for the Principal Username X509 Attribute, select Common Name; then, click Submit.
![byod-flexconnect-dg-034.gif byod-flexconnect-dg-034.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-034.gif)
- Confirm that the new CAP is added.
![byod-flexconnect-dg-035.gif byod-flexconnect-dg-035.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-035.gif)
- Navigate to Administration > Identity Management > Identity Source Sequences, and click Add .
![byod-flexconnect-dg-036.gif byod-flexconnect-dg-036.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-036.gif)
- Give the sequence a name of TestSequence (in this example).
![byod-flexconnect-dg-037.gif byod-flexconnect-dg-037.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-037.gif)
- Scroll down to Certificate Based Authentication:
- Enable Select Certificate Authentication Profile (box is checked).
- Select CertAuth (or another CAP profile created earlier).
![byod-flexconnect-dg-038.gif byod-flexconnect-dg-038.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-038.gif)
- Scroll down to Authentication Search List:
- Move AD1 from Available to Selected.
- Click the up button in order to move AD1 to the top priority.
![byod-flexconnect-dg-039.gif byod-flexconnect-dg-039.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-039.gif)
- Click Submit in order to save.
![byod-flexconnect-dg-040.gif byod-flexconnect-dg-040.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-040.gif)
- Confirm that the new Identity Source Sequence is added.
![byod-flexconnect-dg-041.gif byod-flexconnect-dg-041.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-041.gif)
- Use the AD in order to authenticate the My Devices Portal. Navigate to ISE > Administration > Identity Management > Identity Source Sequence, and edit MyDevices_Portal_Sequence.
![byod-flexconnect-dg-042.gif byod-flexconnect-dg-042.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-042.gif)
- Add AD1 to the Selected list, and click the up button in order to move AD1 to the top priority.
![byod-flexconnect-dg-043.gif byod-flexconnect-dg-043.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-043.gif)
- Click Save.
![byod-flexconnect-dg-044.gif byod-flexconnect-dg-044.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-044.gif)
- Confirm that the Identity Store sequence for MyDevices_Portal_Sequence contains AD1.
![byod-flexconnect-dg-045.gif byod-flexconnect-dg-045.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-045.gif)
- Repeat steps 16-19 in order to add AD1 for Guest_Portal_Sequence, and click Save.
![byod-flexconnect-dg-046.gif byod-flexconnect-dg-046.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-046.gif)
- Confirm that Guest_Portal_Sequence contains AD1.
![byod-flexconnect-dg-047.gif byod-flexconnect-dg-047.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-047.gif)
- In order to add the WLC to Network Access Device (WLC), navigate to Administration > Network Resources > Network Devices, and click Add.
![byod-flexconnect-dg-048.gif byod-flexconnect-dg-048.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-048.gif)
- Add the WLC name, IP address, Subnet Mask, and so forth.
![byod-flexconnect-dg-049.gif byod-flexconnect-dg-049.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-049.gif)
- Scroll down to Authentication Settings, and enter the Shared Secret. This must match the shared secret of the WLC RADIUS.
![byod-flexconnect-dg-050.gif byod-flexconnect-dg-050.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-050.gif)
- Click Submit.
- Navigate to ISE > Policy > Policy Elements > Results.
![byod-flexconnect-dg-051.gif byod-flexconnect-dg-051.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-051.gif)
- Expand Results and Authorization, click Authorization Profiles, and click Add for a new profile.
![byod-flexconnect-dg-052.gif byod-flexconnect-dg-052.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-052.gif)
- Give this profile these values:
- Name: CWA
![byod-flexconnect-dg-053.gif byod-flexconnect-dg-053.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-053.gif)
- Enable Web Authentication (box is checked):
- Web Authentication: Centralized
- ACL: ACL-REDIRECT (This must match the WLC pre-auth ACL name.)
- Redirect: Default
![byod-flexconnect-dg-054.gif byod-flexconnect-dg-054.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-054.gif)
- Click Submit, and confirm that the CWA authorization profile has been added.
![byod-flexconnect-dg-055.gif byod-flexconnect-dg-055.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-055.gif)
- Click Add in order to create a new authorization profile.
![byod-flexconnect-dg-056.gif byod-flexconnect-dg-056.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-056.gif)
- Give this profile these values:
- Name: Provision
![byod-flexconnect-dg-057.gif byod-flexconnect-dg-057.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-057.gif)
- Enable Web Authentication (box is checked):
- Web Authentication Value: Supplicant Provisioning
![byod-flexconnect-dg-058.gif byod-flexconnect-dg-058.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-058.gif)
- ACL: ACL-REDIRECT (This must match the WLC pre-auth ACL name.)
![byod-flexconnect-dg-059.gif byod-flexconnect-dg-059.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-059.gif)
- Click Submit, and confirm that the Provision authorization profile was added.
![byod-flexconnect-dg-060.gif byod-flexconnect-dg-060.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-060.gif)
- Scroll down in Results, expand Client Provisioning, and click Resources.
![byod-flexconnect-dg-061.gif byod-flexconnect-dg-061.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-061.gif)
- Select Native Supplicant Profile.
![byod-flexconnect-dg-062.gif byod-flexconnect-dg-062.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-062.gif)
- Give the Profile a name of WirelessSP (in this example).
![byod-flexconnect-dg-063.gif byod-flexconnect-dg-063.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-063.gif)
- Enter these values:
- Connection Type: Wireless
- SSID: Demo1x (this value is from the WLC 802.1x WLAN configuration)
- Allowed Protocol: TLS
- Key Size: 1024
![byod-flexconnect-dg-064.gif byod-flexconnect-dg-064.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-064.gif)
- Click Submit.
- Click Save.
![byod-flexconnect-dg-065.gif byod-flexconnect-dg-065.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-065.gif)
- Confirm that the new profile has been added.
![byod-flexconnect-dg-066.gif byod-flexconnect-dg-066.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-066.gif)
- Navigate to Policy > Client Provisioning.
![byod-flexconnect-dg-067.gif byod-flexconnect-dg-067.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-067.gif)
- Enter these values for the provisioning rule of iOS devices:
- Rule Name: iOS
- Identity Groups: Any
![byod-flexconnect-dg-068.gif byod-flexconnect-dg-068.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-068.gif)
- Operating Systems: Mac iOS All
![byod-flexconnect-dg-069.gif byod-flexconnect-dg-069.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-069.gif)
- Results: WirelessSP (this is the Native Supplicant Profile created earlier)
![byod-flexconnect-dg-070.gif byod-flexconnect-dg-070.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-070.gif)
- Navigate to Results > Wizard Profile (drop-down list) > WirelessSP.
![byod-flexconnect-dg-071.gif byod-flexconnect-dg-071.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-071.gif)
![byod-flexconnect-dg-072.gif byod-flexconnect-dg-072.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-072.gif)
- Confirm that the iOS Provisioning Profile was added.
![byod-flexconnect-dg-073.gif byod-flexconnect-dg-073.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-073.gif)
- On the right side of the first rule, locate the Actions drop-down list, and select Duplicate below (or above).
![byod-flexconnect-dg-074.gif byod-flexconnect-dg-074.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-074.gif)
- Change the Name of the new rule to Android.
![byod-flexconnect-dg-075.gif byod-flexconnect-dg-075.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-075.gif)
- Change the Operating Systems to Android.
![byod-flexconnect-dg-076.gif byod-flexconnect-dg-076.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-076.gif)
- Leave other values unchanged.
- Click Save (lower left screen).
![byod-flexconnect-dg-077.gif byod-flexconnect-dg-077.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-077.gif)
- Navigate to ISE > Policy > Authentication.
![byod-flexconnect-dg-078.gif byod-flexconnect-dg-078.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-078.gif)
- Modify the condition to include Wireless_MAB, and expand Wired_MAB.
![byod-flexconnect-dg-079.gif byod-flexconnect-dg-079.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-079.gif)
- Click the Condition Name drop-down list.
![byod-flexconnect-dg-080.gif byod-flexconnect-dg-080.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-080.gif)
- Select Dictionaries > Compound Condition.
![byod-flexconnect-dg-081.gif byod-flexconnect-dg-081.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-081.gif)
- Select Wireless_MAB.
![byod-flexconnect-dg-082.gif byod-flexconnect-dg-082.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-082.gif)
- To the right of the rule, select the arrow to expand.
![byod-flexconnect-dg-083.gif byod-flexconnect-dg-083.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-083.gif)
- Select these values from the drop-down list:
- Identity Source: TestSequence (this is the value created earlier)
- If authentication failed: Reject
- If user not found: Continue
- If process failed: Drop
![byod-flexconnect-dg-084.gif byod-flexconnect-dg-084.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-084.gif)
- Go to the Dot1X rule, and change these values:
![byod-flexconnect-dg-085.gif byod-flexconnect-dg-085.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-085.gif)
- Click Save.
![byod-flexconnect-dg-088.gif byod-flexconnect-dg-088.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-088.gif)
- Navigate to ISE > Policy > Authorization.
![byod-flexconnect-dg-089.gif byod-flexconnect-dg-089.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-089.gif)
- Default rules (such as Black List Default, Profiled, and Default) are already configured from installation; the first two can be ignored; the Default rule will be edited later.
![byod-flexconnect-dg-090.gif byod-flexconnect-dg-090.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-090.gif)
- To the right of the second rule (Profiled Cisco IP Phones), click the down arrow next to Edit, and select Insert New Rule Below.
![byod-flexconnect-dg-091.gif byod-flexconnect-dg-091.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-091.gif)
A new Standard Rule # is added.
![byod-flexconnect-dg-092.gif byod-flexconnect-dg-092.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-092.gif)
- Change the Rule Name from Standard Rule # to OpenCWA. This rule initiates the registration process on the open WLAN (dual SSID) for users that come to the guest network in order to have devices provisioned.
![byod-flexconnect-dg-093.gif byod-flexconnect-dg-093.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-093.gif)
- Click the plus sign (+) for Condition(s), and click Select Existing Condition from Library.
![byod-flexconnect-dg-094.gif byod-flexconnect-dg-094.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-094.gif)
- Select Compound Conditions > Wireless_MAB.
![byod-flexconnect-dg-095.gif byod-flexconnect-dg-095.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-095.gif)
- In the AuthZ Profile, click the plus sign (+), and select Standard.
![byod-flexconnect-dg-096.gif byod-flexconnect-dg-096.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-096.gif)
- Select the standard CWA (this is the Authorization Profile created earlier).
![byod-flexconnect-dg-097.gif byod-flexconnect-dg-097.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-097.gif)
- Confirm that the rule is added with the correct Conditions and Authorization.
![byod-flexconnect-dg-098.gif byod-flexconnect-dg-098.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-098.gif)
- Click Done (on the right side of the rule).
![byod-flexconnect-dg-099.gif byod-flexconnect-dg-099.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-099.gif)
- To the right of the same rule, click the down arrow next to Edit, and select Insert New Rule Below.
![byod-flexconnect-dg-100.gif byod-flexconnect-dg-100.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-100.gif)
- Change the Rule Name from Standard Rule # to PEAPrule (in this example). This rule is for PEAP (also used for single SSID scenario) to check that authentication of 802.1X without Transport Layer Security (TLS) and that network supplicant provisioning is initiated with the Provision authorization profile created previously.
![byod-flexconnect-dg-101.gif byod-flexconnect-dg-101.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-101.gif)
- Change the Condition to Wireless_802.1X.
![byod-flexconnect-dg-102.gif byod-flexconnect-dg-102.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-102.gif)
- Click the gear icon on the right side of the condition, and select Add Attribute/Value. This is an 'and' condition, not an 'or' condition.
![byod-flexconnect-dg-103.gif byod-flexconnect-dg-103.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-103.gif)
- Locate and select Network Access.
![byod-flexconnect-dg-104.gif byod-flexconnect-dg-104.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-104.gif)
- Select AuthenticationMethod, and enter these values:
![byod-flexconnect-dg-105.gif byod-flexconnect-dg-105.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-105.gif)
- AuthenticationMethod: Equals
![byod-flexconnect-dg-106.gif byod-flexconnect-dg-106.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-106.gif)
- Select MSCHAPV2.
![byod-flexconnect-dg-107.gif byod-flexconnect-dg-107.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-107.gif)
This is an example of the rule; be sure to confirm that the Condition is an AND.
![byod-flexconnect-dg-108.gif byod-flexconnect-dg-108.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-108.gif)
- In AuthZ Profile, select Standard > Provision (this is the Authorization Profile created earlier).
![byod-flexconnect-dg-109.gif byod-flexconnect-dg-109.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-109.gif)
![byod-flexconnect-dg-110.gif byod-flexconnect-dg-110.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-110.gif)
- Click Done.
![byod-flexconnect-dg-099.gif byod-flexconnect-dg-099.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-099.gif)
- To the right of the PEAPrule, click the down arrow next to Edit, and select Insert New Rule Below.
![byod-flexconnect-dg-111.gif byod-flexconnect-dg-111.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-111.gif)
- Change the Rule Name from Standard Rule # to AllowRule (in this example). This rule will be used in order to permit access to registered devices with certificates installed.
![byod-flexconnect-dg-112.gif byod-flexconnect-dg-112.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-112.gif)
- Under Condition(s), select Compound Conditions.
![byod-flexconnect-dg-113.gif byod-flexconnect-dg-113.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-113.gif)
- Select Wireless_802.1X.
![byod-flexconnect-dg-114.gif byod-flexconnect-dg-114.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-114.gif)
- Add an AND attribute.
![byod-flexconnect-dg-115.gif byod-flexconnect-dg-115.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-115.gif)
- Click the gear icon on the right side of the condition, and select Add Attribute/Value.
![byod-flexconnect-dg-116.gif byod-flexconnect-dg-116.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-116.gif)
- Locate and select Radius.
![byod-flexconnect-dg-117.gif byod-flexconnect-dg-117.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-117.gif)
- Select Calling-Station-ID--[31].
![byod-flexconnect-dg-118.gif byod-flexconnect-dg-118.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-118.gif)
- Select Equals.
![byod-flexconnect-dg-119.gif byod-flexconnect-dg-119.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-119.gif)
- Go to CERTIFICATE, and click the right arrow.
![byod-flexconnect-dg-123.gif byod-flexconnect-dg-123.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-123.gif)
- Select Subject Alternative Name.
![byod-flexconnect-dg-121.gif byod-flexconnect-dg-121.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-121.gif)
- For the AuthZ Profile, select Standard.
![byod-flexconnect-dg-122.gif byod-flexconnect-dg-122.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-122.gif)
- Select Permit Access.
![byod-flexconnect-dg-123.gif byod-flexconnect-dg-123.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-123.gif)
- Click Done.
![byod-flexconnect-dg-099.gif byod-flexconnect-dg-099.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-099.gif)
This is an example of the rule:
![byod-flexconnect-dg-124.gif byod-flexconnect-dg-124.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-124.gif)
- Locate the Default rule in order to change PermitAccess to DenyAccess.
![byod-flexconnect-dg-125.gif byod-flexconnect-dg-125.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-125.gif)
- Click Edit in order to edit the Default rule.
![byod-flexconnect-dg-126.gif byod-flexconnect-dg-126.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-126.gif)
- Go to the existing AuthZ profile of PermitAccess.
![byod-flexconnect-dg-127.gif byod-flexconnect-dg-127.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-127.gif)
- Select Standard.
![byod-flexconnect-dg-128.gif byod-flexconnect-dg-128.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-128.gif)
- Select DenyAccess.
![byod-flexconnect-dg-129.gif byod-flexconnect-dg-129.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-129.gif)
- Confirm that the Default rule has DenyAccess if no matches are found.
![byod-flexconnect-dg-130.gif byod-flexconnect-dg-130.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-130.gif)
- Click Done.
![byod-flexconnect-dg-099.gif byod-flexconnect-dg-099.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-099.gif)
This is an example of the main rules required for this test; they are applicable for either a single SSID or dual SSID scenario.
![byod-flexconnect-dg-131.gif byod-flexconnect-dg-131.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-131.gif)
- Click Save.
![byod-flexconnect-dg-132.gif byod-flexconnect-dg-132.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-132.gif)
- Navigate to ISE > Administration > System > Certificates in order to configure the ISE server with a SCEP profile.
![byod-flexconnect-dg-133.gif byod-flexconnect-dg-133.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-133.gif)
- In Certificate Operations, click SCEP CA Profiles.
![byod-flexconnect-dg-134.gif byod-flexconnect-dg-134.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-134.gif)
- Click Add.
![byod-flexconnect-dg-135.gif byod-flexconnect-dg-135.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-135.gif)
- Enter these values for this profile:
- Name: mySCEP (in this example)
- URL: https://<ca-server>/CertSrv/mscep/ (Check your CA server configuration for the correct address.)
![byod-flexconnect-dg-136.gif byod-flexconnect-dg-136.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-136.gif)
- Click Test Connectivity in order to test connectivity of the SCEP connection.
![byod-flexconnect-dg-137.gif byod-flexconnect-dg-137.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-137.gif)
- This response shows that the server connectivity is successful.
![byod-flexconnect-dg-138.gif byod-flexconnect-dg-138.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-138.gif)
- Click Submit.
![byod-flexconnect-dg-139.gif byod-flexconnect-dg-139.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-139.gif)
- The server responds that the CA Profile was created successfully.
![byod-flexconnect-dg-140.gif byod-flexconnect-dg-140.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-140.gif)
- Confirm that the SCEP CA Profile is added.
![byod-flexconnect-dg-141.gif byod-flexconnect-dg-141.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-141.gif)
User Experience - Provisioning iOS
Dual SSID
This section covers dual SSID and describes how to connect to the guest to be provisioned and how to connect to a 802.1x WLAN.
Complete these steps in order to provision iOS in the dual SSID scenario:
- On the iOS device, go to Wi-Fi Networks, and select DemoCWA (configured open WLAN on WLC).
![byod-flexconnect-dg-142.gif byod-flexconnect-dg-142.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-142.gif)
- Open the Safari browser on the iOS device, and visit a reachable URL (for example, internal/external webserver). The ISE redirects you to the portal. Click Continue.
![byod-flexconnect-dg-143.gif byod-flexconnect-dg-143.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-143.gif)
- You are redirected to the Guest Portal for login.
![byod-flexconnect-dg-144.gif byod-flexconnect-dg-144.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-144.gif)
- Log in with an AD user account and password. Install the CA Profile when prompted.
![byod-flexconnect-dg-145.gif byod-flexconnect-dg-145.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-145.gif)
- Click Install trusted certificate of the CA server.
![byod-flexconnect-dg-146.gif byod-flexconnect-dg-146.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-146.gif)
- Click Done once the profile is completely installed.
![byod-flexconnect-dg-147.gif byod-flexconnect-dg-147.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-147.gif)
- Return to the browser, and click Register. Make a note of the Device ID that contains the MAC address of the device.
![byod-flexconnect-dg-148.gif byod-flexconnect-dg-148.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-148.gif)
- Click Install in order to install the verified profile.
![byod-flexconnect-dg-149.gif byod-flexconnect-dg-149.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-149.gif)
- Click Install Now.
![byod-flexconnect-dg-150.gif byod-flexconnect-dg-150.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-150.gif)
- After the process is completed, the WirelessSP profile confirms that the profile is installed. Click Done.
![byod-flexconnect-dg-151.gif byod-flexconnect-dg-151.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-151.gif)
- Go to Wi-Fi Networks, and change the network to Demo1x. Your device is now connected and uses TLS.
![byod-flexconnect-dg-152.gif byod-flexconnect-dg-152.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-152.gif)
- On the ISE, navigate to Operations > Authentications. The events show the process in which the device is connected to the open guest network, goes through the registration process with supplicant provisioning, and is allowed permit access after registration.
![byod-flexconnect-dg-153.gif byod-flexconnect-dg-153.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-153.gif)
- Navigate to ISE > Administration > Identity Management > Groups > Endpoint Identity Groups > RegisteredDevices. The MAC address has been added to the database.
![byod-flexconnect-dg-154.gif byod-flexconnect-dg-154.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-154.gif)
Single SSID
This section covers single SSID and describes how to connect directly to an 802.1x WLAN, provide AD username/password for PEAP authentication, provision through a guest account, and reconnect with TLS.
Complete these steps in order to provision iOS in the single SSID scenario:
- If you are using the same iOS device, remove the endpoint from the Registered Devices.
![byod-flexconnect-dg-155.gif byod-flexconnect-dg-155.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-155.gif)
- On the iOS device, navigate to Settings > Generals > Profiles. Remove the profiles installed in this example.
![byod-flexconnect-dg-156.gif byod-flexconnect-dg-156.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-156.gif)
- Click Remove in order to remove the previous profiles.
![byod-flexconnect-dg-157.gif byod-flexconnect-dg-157.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-157.gif)
![byod-flexconnect-dg-158.gif byod-flexconnect-dg-158.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-158.gif)
- Connect directly to the 802.1x with the existing (cleared) device or with a new iOS device.
- Connect to Dot1x, enter a Username and Password, and click Join.
![byod-flexconnect-dg-159.gif byod-flexconnect-dg-159.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-159.gif)
- Repeat Steps 90 and on from the ISE Configuration section until the appropriate profiles are completely installed.
- Navigate to ISE > Operations > Authentications in order to monitor the process. This example shows the client that is connected directly to 802.1X WLAN as it is provisioned, disconnects, and reconnects to the same WLAN with the use of TLS.
![byod-flexconnect-dg-160.gif byod-flexconnect-dg-160.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-160.gif)
- Navigate to WLC > Monitor > [Client MAC]. In the client detail, note that the client is in the RUN state, its Data Switching is set to local, and the Authentication is Central. This is true for clients that connect to FlexConnect AP.
![](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-160.gif)
User Experience - Provisioning Android
Dual SSID
This section covers dual SSID and describes how to connect to the guest to be provisioned and how to connect to an 802.1x WLAN.
The connection process for the Android device is very similar to that for an iOS device (single or dual SSID). However, an important difference is that the Android device requires access to the Internet in order to access Google Marketplace (now Google Play) and download the supplicant agent.
Complete these steps in order to provision an Android device (such as the Samsung Galaxy in this example) in the dual SSID scenario:
- In the Android device, use Wi-Fi in order to connect to DemoCWA, and open the guest WLAN.
![byod-flexconnect-dg-162.gif byod-flexconnect-dg-162.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-162.gif)
- Accept any certificate in order to connect to the ISE.
![byod-flexconnect-dg-163.gif byod-flexconnect-dg-163.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-163.gif)
- Enter a Username and Password at the Guest Portal in order to log in.
![byod-flexconnect-dg-164.gif byod-flexconnect-dg-164.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-164.gif)
- Click Register. The device attempts to reach the Internet in order to access Google Marketplace. Add any additional rules to the Pre-Auth ACL (such as ACL-REDIRECT) in the controller in order to allow access to the Internet.
![byod-flexconnect-dg-165.gif byod-flexconnect-dg-165.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-165.gif)
- Google lists Cisco Network Setup as an Android App. Click INSTALL.
![byod-flexconnect-dg-166.gif byod-flexconnect-dg-166.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-166.gif)
- Sign in to Google, and click INSTALL.
![byod-flexconnect-dg-167.gif byod-flexconnect-dg-167.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-167.gif)
- Click OK.
![byod-flexconnect-dg-168.gif byod-flexconnect-dg-168.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-168.gif)
- On the Android device, find the installed Cisco SPW app, and open it.
![byod-flexconnect-dg-169.gif byod-flexconnect-dg-169.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-169.gif)
- Make sure that you are still logged in to the Guest Portal from your Android device.
- Click Start in order to start the Wi-Fi Setup Assistant.
![byod-flexconnect-dg-170.gif byod-flexconnect-dg-170.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-170.gif)
- The Cisco SPW begins to install certificates.
![byod-flexconnect-dg-171.gif byod-flexconnect-dg-171.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-171.gif)
- When prompted, set a password for credential storage.
![byod-flexconnect-dg-172.gif byod-flexconnect-dg-172.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-172.gif)
- The Cisco SPW returns with a certificate name, which contains the user key and user certificate. Click OK in order to confirm.
![byod-flexconnect-dg-173.gif byod-flexconnect-dg-173.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-173.gif)
- Cisco SPW continues and prompts for another certificate name, which contains the CA certificate. Enter the name iseca (in this example), then click OK in order to continue.
![byod-flexconnect-dg-174.gif byod-flexconnect-dg-174.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-174.gif)
- The Android device is now connected.
![byod-flexconnect-dg-175.gif byod-flexconnect-dg-175.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-175.gif)
My Devices Portal
My Devices Portal allows users to blacklist previously registered devices in the event a device is lost or stolen. It also allows users to re-enlist if needed.
Complete these steps in order to blacklist a device:
- In order to log in to My Devices Portal, open a browser, connect to https://ise-server:8443/mydevices (note the port number 8443), and log in with an AD account.
![byod-flexconnect-dg-176.gif byod-flexconnect-dg-176.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-176.gif)
- Locate the device under Device ID, and click Lost? in order to initiate blacklisting of a device.
![byod-flexconnect-dg-177.gif byod-flexconnect-dg-177.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-177.gif)
- When the ISE prompts a warning, click Yes in order to proceed.
![byod-flexconnect-dg-178.gif byod-flexconnect-dg-178.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-178.gif)
- ISE confirms that the device is marked as lost.
![byod-flexconnect-dg-179.gif byod-flexconnect-dg-179.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-179.gif)
- Any attempt to connect to the network with the previously registered device is now blocked, even if there is a valid certificate installed. This is an example of a blacklisted device that fails authentication:
![byod-flexconnect-dg-180.gif byod-flexconnect-dg-180.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-180.gif)
- An administrator can navigate to ISE > Administration > Identity Management > Groups, click Endpoint Identity Groups > Blacklist, and see the device is blacklisted.
![byod-flexconnect-dg-181.gif byod-flexconnect-dg-181.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-181.gif)
Complete these steps in order to reinstate a blacklisted device:
- From the My Devices Portal, click Reinstate for that device.
![byod-flexconnect-dg-182.gif byod-flexconnect-dg-182.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-182.gif)
- When ISE prompts a warning, click Yes in order to proceed.
![byod-flexconnect-dg-183.gif byod-flexconnect-dg-183.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-183.gif)
- ISE confirms that the device has been successfully reinstated. Connect the reinstated device to the network in order to test that the device will now be permitted.
![byod-flexconnect-dg-184.gif byod-flexconnect-dg-184.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-184.gif)
Reference - Certificates
ISE not only requires a valid CA root certificate, but also needs a valid certificate signed by CA.
Complete these steps in order to add, bind, and import new trusted CA certificate:
- Navigate to ISE > Administration > System > Certificates, click Local Certificates, and click Add.
![byod-flexconnect-dg-185.gif byod-flexconnect-dg-185.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-185.gif)
- Select Generate Certificate Signing Request (CSR).
![byod-flexconnect-dg-186.gif byod-flexconnect-dg-186.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-186.gif)
- Enter the Certificate Subject CN=<ISE-SERVER hostname.FQDN>. For the other fields, you can use the default or the values required by your CA setup. Click Submit.
![byod-flexconnect-dg-187.gif byod-flexconnect-dg-187.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-187.gif)
- ISE verifies that the CSR was generated.
![byod-flexconnect-dg-188.gif byod-flexconnect-dg-188.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-188.gif)
- In order to access the CSR, click the Certificate Signing Requests operations.
![byod-flexconnect-dg-189.gif byod-flexconnect-dg-189.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-189.gif)
- Select the CSR recently created, then click Export.
![byod-flexconnect-dg-190.gif byod-flexconnect-dg-190.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-190.gif)
- ISE exports the CSR to a .pem file. Click Save File, then click OK in order to save the file to the local machine.
![byod-flexconnect-dg-191.gif byod-flexconnect-dg-191.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-191.gif)
- Locate and open the ISE certificate file with a text editor.
![byod-flexconnect-dg-192.gif byod-flexconnect-dg-192.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-192.gif)
- Copy the entire content of the certificate.
![byod-flexconnect-dg-193.gif byod-flexconnect-dg-193.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-193.gif)
- Connect to the CA server, and log in with an administrator account. The server is a Microsoft 2008 CA at https://10.10.10.10/certsrv (in this example).
![byod-flexconnect-dg-194.gif byod-flexconnect-dg-194.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-194.gif)
- Click Request a certificate.
![byod-flexconnect-dg-195.gif byod-flexconnect-dg-195.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-195.gif)
- Click advanced certificate request.
![byod-flexconnect-dg-196.gif byod-flexconnect-dg-196.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-196.gif)
- Click the second option in order to Submit a certificate request by using a base-64-encoded CMC or ... .
![byod-flexconnect-dg-197.gif byod-flexconnect-dg-197.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-197.gif)
- Paste the content from the ISE certificate file (.pem) into the Saved Request field, ensure the Certificate Template is Web Server, and click Submit.
![byod-flexconnect-dg-198.gif byod-flexconnect-dg-198.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-198.gif)
- Click Download certificate.
![byod-flexconnect-dg-199.gif byod-flexconnect-dg-199.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-199.gif)
- Save the certnew.cer file; it will be used later in order to bind with the ISE.
![byod-flexconnect-dg-200.gif byod-flexconnect-dg-200.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-200.gif)
- From ISE Certificates, navigate to Local Certificates, and click Add > Bind CA Certificate.
![byod-flexconnect-dg-201.gif byod-flexconnect-dg-201.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-201.gif)
- Browse to the certificate that was saved to the local machine in the previous step, enable both the EAP and Management Interface protocols (boxes are checked), and click Submit. ISE may take several minutes or more in order to restart services.
![byod-flexconnect-dg-202.gif byod-flexconnect-dg-202.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-202.gif)
- Return to the landing page of the CA (https://CA/certsrv/), and click Download a CA certificate, certificate chain, or CRL.
![byod-flexconnect-dg-203.gif byod-flexconnect-dg-203.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-203.gif)
- Click Download CA certificate.
![byod-flexconnect-dg-204.gif byod-flexconnect-dg-204.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-204.gif)
- Save the file to the local machine.
![byod-flexconnect-dg-205.gif byod-flexconnect-dg-205.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-205.gif)
- With the ISE server online, go to Certificates, and click Certificate Authority Certificates.
![byod-flexconnect-dg-206.gif byod-flexconnect-dg-206.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-206.gif)
- Click Import.
![byod-flexconnect-dg-207.gif byod-flexconnect-dg-207.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-207.gif)
- Browse for the CA certificate, enable Trust for client authentication (box is checked), and click Submit.
![byod-flexconnect-dg-208.gif byod-flexconnect-dg-208.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-208.gif)
- Confirm that the new trusted CA certificate is added.
![byod-flexconnect-dg-209.gif byod-flexconnect-dg-209.gif](//www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-209.gif)
Related Information