Configure Client Provisioning in Cisco ISE

Enable client provisioning to allow users to download client provisioning resources and configure agent profiles. You can configure agent profiles for Windows clients, Mac OS X clients, and native supplicant profiles for personal devices. If you disable client provisioning, users attempting to access the network will receive a warning message indicating that they are not able to download client provisioning resources.

Before you begin

If you are using a proxy and hosting client provisioning resources on a remote system, verify that the proxy allows clients to access that remote location.

Procedure

Step 1

Choose Administration > System > Settings > Client Provisioning or Work Centers > Posture > Settings > Software Updates > Client Provisioning.

Step 2

From the Enable Provisioning drop-down list, choose Enable or Disable.

Step 3

From the Enable Automatic Download drop-down list, choose Enable.

Feed downloads include all the available client provisioning resources. Some of these resources may not be pertinent to your deployment. Cisco recommends manually downloading resources whenever possible instead of setting this option.

Step 4

Specify the URL where Cisco ISE searches for system updates in the Update Feed URL text box. For example, the default URL for downloading client-provisioning resources is https://www.cisco.com/web/secure/spa/provisioning-update.xml.

Step 5

When there is no client provisioning resource for a device, choose one of the following options:

  • Allow Network Access: Users are allowed to register their device on the network without having to install and launch the native supplicant wizard.
  • Apply Defined Authorization Policy: Users must try to access the Cisco ISE network via standard authentication and authorization policy application (outside of the native supplicant provisioning process). If you enable this option, the user device goes through standard registration according to any client-provisioning policy applied to the user’s ID. If the user’s device requires a certificate to access the Cisco ISE network, you must also provide detailed instructions to the user describing how to obtain and apply a valid certificate using the customizable user-facing text fields.

Step 6

Click Save.


Note

If the ISE certificates are cached in the HTTP Strict Transport Security (HSTS) store of the endpoint, client provisioning portal redirection might fail and you might see the following error message:

You cannot visit hostname.domain.com right now because the website uses HSTS. Network errors and attacks are temporary, so this page will probably work later.

To resolve this issue, delete the browser cache on the endpoint or navigate to chrome://net-internals/#hsts and delete the self-signed ISE certificates.

What to do next

Configure client provisioning resource policies.

Client Provisioning Resources

Client provisioning resources are downloaded to endpoints after the endpoint connects to the network. Client provisioning resources consist of compliance and posture agents for desktops, and native supplicant profiles for phones and tablets. Client provisioning policies assign these provisioning resources to endpoints to start a network session.

Client provisioning resources are listed on Policy Elements > Results > Client Provisioning > Resources. The following resource types can be added to the list by clicking the Add button:

After creating client provisioning resources, create client provisioning policies that apply the client provisioning resources to the endpoints. See Configure Client Provisioning Resource Policies.

Add Client Provisioning Resources from Cisco

You can add client provisioning resources from Cisco.com for AnyConnect Windows, MAC OSX clients, and Cisco Web agent. Depending on the resources that you select and available network bandwidth, Cisco ISE can take a few minutes to download client provisioning resources to Cisco ISE.

Before you begin

  • Ensure that you have configured the correct proxy settings in Cisco ISE.

  • Enable client provisioning in Cisco ISE.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Choose Add > Agent resources from Cisco site.

Step 3

Select one or more required client provisioning resources from the list available in the Download Remote Resources dialog box.

Step 4

Click Save .

What to do next

After you have successfully added client provisioning resources to Cisco ISE, you can begin to configure client provisioning resource policies.

Add Cisco Provided Client Provisioning Resources from a Local Machine

You can add client provisioning resources from the local disk, which you previously downloaded from Cisco.

Before you begin

Be sure to upload only current, supported resources to Cisco ISE. Older, unsupported resources are likely to cause serious issues for client access.

If you are downloading the resource files manually from the Cisco.com, see the Section “Cisco ISE Offline Updates” in the Cisco ISE Release Notes.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Choose Add > Agent resources from local disk.

Step 3

Choose Cisco Provided Packages from the Category drop-down list.

Step 4

Click Browse to the directory on your local machine where the resource file that you want to download to Cisco ISE resides.

You can add AnyConnect or Cisco Web Agent resources that you previously downloaded from Cisco to your local machine.

Step 5

Click Submit.

What to do next

After you have successfully added client provisioning resources to Cisco ISE, you can configure client provisioning resource policies.

Add Customer Created Resources for AnyConnect from a Local Machine

Add customer created resources like AnyConnect customization and localization packages and AnyConnect profiles from the local machine to Cisco ISE.

Before you begin

Ensure that customer created resources for AnyConnect are zipped files and available in your local disk.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client provisioning > Resources.

Step 2

Choose Add > Agent Resources from local disk.

Step 3

Choose Customer Created Packages from the Category drop-down list.

Step 4

Enter the name and description for AnyConnect resources.

Step 5

Click Browse to the directory on your local machine where the resource file that you want to download to Cisco ISE resides.

Step 6

Choose the following AnyConnect resources to upload to Cisco ISE:

  • AnyConnect customization bundle
  • AnyConnect localization bundle
  • AnyConnect profile
  • Advanced Malware Protection (AMP) Enabler Profile

Step 7

Click Submit.

The Uploaded AnyConnect Resources table displays AnyConnect resources that you add to Cisco ISE.

What to do next

Create AnyConnect agent configuration.

Create Native Supplicant Profiles

You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user signs in, Cisco ISE uses the profile that you associated with that user’s authorization requirements to choose the necessary supplicant provisioning wizard. The wizard runs and sets up the user’s personal device to access the network.


Note

The provisioning wizard only configures interfaces which are active. Because of this, users with Wired and Wireless connections will not be provisioned for both interfaces, unless they are both active.

Before you begin

  • Open up TCP port 8905 to enable the installation of Cisco AnyConnect Agent, Cisco Web Agent, and supplicant provisioning wizard. For more information about port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Choose Add > Native Supplicant Profile.

Step 3

Create a profile, using the procedure described in Native Supplicant Profile Settings .

What to do next

Enable self-provisioning capabilities that allow employees to directly connect their personal devices to the network, as described in the Support for multiple Guest Portals section.

Native Supplicant Profile Settings

When you choose Policy > Policy Elements > Results > Client Provisioning > Resources > Add > Native Supplicant Profile. The following settings are displayed.

  • Name: Enter the name of the native supplicant profile that you are creating.

  • Operating System: Choose which operating system(s) this profile should apply to from the drop-down list.

Each profile defines the settings for a network connection that Cisco ISE will apply to the client's native supplicant.

Wireless Profile

Configure a wireless profile, one for each SSID that you want to make available to the client:

  • SSID Name: Enter the name of the SSID that the client will connect to.

  • Proxy Auto-Config File URL: If the client will connect to a proxy to get the network configuration for its supplicant, enter the URL of that proxy server.

  • Proxy Host/IP: If the client will connect to a proxy to get the network configuration for its supplicant, enter the Host/IP of that proxy server.

  • Proxy Port: If the client will connect to a proxy to get the network configuration for its supplicant, enter the port of that proxy server.

  • Security: Choose either WPA or WPA2.

  • Allowed Procotol: Choose either PEAP or EAP-TLS.

  • Certificate Template: For TLS, choose one of the certificate templates. The certificate templates are defined in Administration > System Certificates > Certificate Authority > Certificate Templates.

Optional Settings

If you expand Optional, the following fields are displayed.

Windows Setings

  • Authentication Mode: Choose User, Machine or both as credentials for authorization.

  • Do not prompt user to authorize new servers or trusted certification authorities: If this option is enabled, the user is not prompted to authorize. User certificates are automatically accepted.

  • Use a different user name for the connection: This is applicable only for wireless profiles. Use a different user name for the connection.

  • Connect even if the network is not broadcasting its name (SSID): This is applicable only for wireless profiles. Connect to a network even when its SSID is not being broadcasted.

iOS Settings

  • Enable if target network is hidden: Check this check box if the target network is hidden.

Wired Profile

  • Allowed Protocol: Choose either PEAP or EAP-TLS.

  • Certificate Template: For TLS, choose one of the certificate templates. The certificate templates are defined in Administration > System Certificates > Certificate Authority > Certificate Templates.

Optional Settings

If you expand Optional, the following fields are also available for Windows clients.

  • Authentication Mode: Choose User, Machine or both as credentials for authorization.

  • Automatically use logon name and password (and domain if any): If you selected User for Authentication Mode, use the logon and password to without prompting the user, if that information is available.

  • Enable Fast Reconnect: Allow a PEAP session to resume without checking user credentials when the session resume feature is enabled in the PEAP protocol options, which is configured on Administration > System > Settings > Protocols > PEAP.

  • Enable Quarantine Checks: Check if the client has been quarantined.

  • Disconnect if server does not present cryptobinding TLV: Disconnect if cryptobinding TLV is not supported for the network connection.

  • Do not prompt user to authorize new servers or trusted certification authorities: Automatically accept user certificates; do not prompt the user.

Client Provisioning Without URL Redirection for Different Networks

Client provisioning without URL redirection is required when the third party NAC does not support CoA. You can perform client provisioning with and without URL redirection.


Note

For client provisioning with URL redirection, if the client machine has proxy settings configured, ensure that you add Cisco ISE to the list of exceptions in the browser settings. This setting is applicable for all flows, BYOD, MDM, Guest, and Posture that use URL redirection. For example, on Windows machines, do the following:

  1. From Control Panel, click Internet Properties.

  2. Select the Connections tab.

  3. Click LAN settings.

  4. Click Advanced from the Proxy server area.

  5. Enter the IP addresses of the Cisco ISE nodes in the Exceptions box.

  6. Click OK.

Given below are the steps you perform to provision an endpoint without redirection for different networks.

Dot1X EAP-TLS

  1. Connect the Cisco ISE network with provisioned certification.

  2. Open a browser window and type in the provisioning URL: provisioning.cisco.com.

  3. Log into the CP portal via internal user, AD, LDAP, or SAML.

    AnyConnect performs posture. The endpoint moves to the right network based on posture compliance.

Dot1X PEAP

  1. Connect the Cisco ISE network with User Name and Password through NSP

  2. Open a browser window and type in the provisioning URL: provisioning.cisco.com.

  3. Log into the CP portal via internal user, AD, LDAP, or SAML

    AnyConnect performs posture. The endpoint moves to the right network based on posture compliance.

MAB (Wired Networks)

  1. Connect the Cisco ISE network.

  2. Open a browser window and type in the provisioning URL: provisioning.cisco.com.

  3. Log into the CP portal via internal user, AD, LDAP, or SAML.

    AnyConnect performs posture. The endpoint moves to the right network based on posture compliance.

MAB (Wireless Networks)

  1. Connect the Cisco ISE network

  2. Open a browser window and type in the provisioning URL: provisioning.cisco.com.

  3. Log into the CP portal via internal user, AD, LDAP, or SAML.

    AnyConnect performs posture. Posture starts for wireless 802.1X only.

AMP Enabler Profile Settings

The following table describes the fields in the Advanced Malware Protection (AMP) Enabler Profile window. The navigation path is: Policy > Policy Elements > Results > Client Provisioning > Resources.

Click the Add drop-down arrow and select the AMP Enabler Profile.

Table 1. AMP Enabler Profile Page

Field Names

Usage Guidelines

Name

Enter the name of the AMP enabler profile that you want to create.

Description

Enter a description for the AMP enabler profile.

Install AMP Enabler

  • Windows Installer: Specify the URL of the local server that hosts the AMP for Windows OS software. The AnyConnect module uses this URL to download the .exe file to the endpoint. The file size is approximately 25 MB.

  • Mac Installer: Specify the URL of the local server that hosts the AMP for macOS software. The AnyConnect module uses this URL to download the .pkg file to the endpoint. The file size is approximately 6 MB.

The Check button communicates with the server to verify if the URL is valid. If the URL is valid, a "File found" message is displayed or else an error message is displayed.

Uninstall AMP Enabler

Uninstalls the AMP for endpoint software from the endpoint.

Add to Start Menu

Adds a shortcut for the AMP for endpoint software in the Start menu of the endpoint, after the AMP for endpoint software is installed on the endpoint.

Add to Desktop

Adds an icon for the AMP for endpoint software on the desktop of the endpoint, after the AMP for endpoint software is installed on the endpoint.

Add to Context Menu

Adds the Scan Now option in the right-click context menu of the endpoint, after the AMP for endpoint software is installed on the endpoint.

Create an AMP Enabler Profile Using the Embedded Profile Editor

You can create the AMP enabler profile using the Cisco ISE embedded profile editor or the standalone editor.

To create the AMP enable profile using the Cisco ISE embedded profile editor:

Before you begin

  • Download the AMP for Endpoint software from the SOURCEfire portal and host it on a local server.

  • Import the certificate of the server that hosts the AMP for endpoint software to the ISE certificate store by navigating to Administration > Certificates > Trusted Certificates.

  • Ensure that the AMP Enabler options are selected in the AnyConnect Module Selection and Profile Selection sections in the AnyConnect Configuration window ( Policy > Policy Elements > Results > Client provisioning > Resources > Add > AnyConnect Configuration > Select AnyConnect Package).

  • You must log in to the SOURCEfire portal, create policies for endpoint groups, and download the AMP for endpoint software. The software comes preconfigured with the policies that you have chosen. You must download two images, namely, the redistributable version of the AMP for endpoint software for Windows OS and AMP for endpoint software for macOS. The downloaded software is hosted on a server that is accessible from the enterprise network.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Click the Add drop-down.

Step 3

Choose AMP Enabler Profile to create a new AMP enabler profile.

Step 4

Enter the appropriate values in the fields.

Step 5

Click Submit to save the profile in the Resources window.

Create an AMP Enabler Profile Using the Standalone Editor

To create an AMP enabler profile using the AnyConnect standalone editor.

Before you begin

You can create an AMP enabler profile by uploading the XML format of the profile using the AnyConnect 4.1 standalone editor.

  • Download the AnyConnect standalone profile editor for Windows and Mac OS from Cisco.com.

  • Launch the standalone profile editor and enter the fields as specified in the AMP Enabler Profile Settings.

  • Save the profile as an XML file in your local disk.

  • Ensure that the AMP Enabler options are selected in the AnyConnect Module Selection and Profile Selection sections in the AnyConnect Configuration window ( Policy > Policy Elements > Results > Client provisioning > Resources > Add > AnyConnect Configuration > Select AnyConnect Package).

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client provisioning > Resources.

Step 2

Click Add.

Step 3

Choose Agent resources from local disk.

Step 4

Choose Customer Created Packages from the Category drop-down.

Step 5

Choose AMP Enabler Profile from the Type drop-down.

Step 6

Enter a Name and Description.

Step 7

Click Browse and select the saved profile (XML file) from the local disk. The following example shows a customized install file. 

<?xml version="1.0" encoding="UTF-8"?>
<FAProfile xsi:noNamespaceSchemaLocation="FAProfile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<FAConfiguration>
	<Install>
	<WindowsConnectorLocation>
https://fa_webserver/ACFA_Mac_FireAMPSetup.exe
</WindowsConnectorLocation>
	<MacConnectorLocation>
https://fa_webserver/ACFA_Mac_FireAMPSetup.exe 
</MacConnectorLocation>
	<StartMenu>true</StartMenu>
	<DesktopIcon>false</DesktopIcon>
	<ContextIcon>true</ContextIcon>
	</Install>
	</FAConfiguration>
</FAProfile>
The following example shows a customized uninstall file. 
<?xml version="1.0" encoding="UTF-8"?>
<FAProfile xsi:noNamespaceSchemaLocation="FAProfile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
	<FAConfiguration>
	<Uninstall>
	</Uninstall>
	</FAConfiguration>
</FAProfile>

Step 8

Click Submit.

The newly created AMP Enabler profile is displayed in the Resources page.

Troubleshoot Common AMP Enabler Installation Errors

When you enter the SOURCEfire URL in the Windows or MAC Installer text box and click Check, you might encounter any of the following errors:

  • Error Message: The certificate for the server containing the Mac/Windows installer file is not trusted by ISE. Add a trust certificate to Administration > Certificates > Trusted Certificates.

    This error message appears if you have not imported the SOURCEfire trusted certificate in to the Cisco ISE certificate store. Obtain a SOURCEfire trusted certificate and import it in to the Cisco ISE trusted certificate store (Administration > Certificates > Trusted Certificates).

  • Error Message: The installer file is not found at this location, this may be due to a connection issue. Enter a valid path in the Installer text box or check your connection.

    This error message appears when the server hosting the AMP for Endpoint software is down or if there is a typographic error in the Windows Installer or MAC Installer text box.

  • Error Message: The Windows/Mac installer text box does not contain a valid URL.

    This error message appears when you enter a syntactically incorrect URL format.

Cisco ISE Support for Onboarding Chromebook Devices

Chromebook devices are managed devices (managed by the Google domain), unlike other devices (Apple, Windows, Android) and have limited onboarding support. Cisco ISE supports the onboarding of Chromebook devices on a network. Onboarding refers to the process of delivering the required settings and files to an endpoint such that it is able to connect securely to a network after authenticating with Cisco ISE. This process includes certificate provisioning and/or native supplicant provisioning. However, in Chromebook devices, you can only perform certificate provisioning. Native supplicant provisioning is done via the Google Admin Console.

Unmanaged Chromebook devices cannot be onboarded to a secure network.

The entities involved in the Chromebook onboarding process are the:

  • Google Administrator

  • ISE Administrator

  • Chromebook User/Device

  • Google Admin Console (Managed by the Google Administrator)

The Google administrator:

  • Secures the following licenses:

    1. Google Apps Administrator license for the Google Admin Console configuration—URL: https://admin.google.com. The Google Admin Console enables an administrator to manage Google services for people in an organization.

    2. Chromebook device management license—URL: https://support.google.com/chrome/a/answer/2717664?hl=en. A Chromebook device management license is used to configure settings and enforce policies for a specific Chromebook device. It gives the Google Administrator access to device settings to control user access, customize features, configure network access, and more.

  • Facilitates provisioning and enrolling of Chromebook devices with a Google device license.

  • Manages Chromebook devices through the Google Admin Console.
  • Sets up and manages the Wi-Fi network configuration for each Chromebook user.
  • Manages the Chromebook devices by configuring applications and forced extensions to be installed on the Chromebook device. Onboarding the Chromebook device requires the Cisco Network Setup Assistant extensions to be installed in the Chromebook device. This allows the Chromebook device to connect to Cisco ISE and install the ISE certificate. The extension is forcibly installed because the action of certificate installation is allowed only for managed devices.
  • Ensures that the Cisco ISE certificates are installed in the Google Admin Console to provide server validation and secure connection. The Google administrator decides whether a certificate should be generated for a device or a user. Cisco ISE provides options to:

    The Google Administrator installs the ISE server certificate so that ISE is trusted to perform the certificate provisioning on the Chromebook device and also to allow EAP-TLS certificate-based authentication. Google Chrome version 37 and higher supports certificate-based authentication for Chromebook devices. The google administrator needs to load the ISE provisioning application in the Google Admin Console and make it available to the Chromebook devices to get the certificate from ISE.

  • Ensures that the recommended Google host names are allowed in the ACL definition list configured in the WLC for SSL secure connections. Refer to the recommended and allowed host names in the Google Support page.

The ISE Administrator:

  • Defines the native supplicant profile for the Chromebook OS that includes the certificate template structure.

  • Creates the necessary authorization rules and client provisioning policies in Cisco ISE for Chromebook users.

The Chromebook User:

  • Wipes out the Chromebook device and enrolls it to the Google domain to secure the enforced policy that was defined by the Google administrator.

  • Receives the Chromebook device polices and the Cisco Network Setup Assistant forced extension installed by the Google Admin Console.

  • Connects to the provisioned SSID, as defined by the Google administrator, opens the browser, displays the BYOD pages, and starts the onboarding process.

  • The Cisco Network Setup Assistant installs a client certificate in the Chromebook device, which allows the device to perform EAP-TLS certificate-based authentication.

The Google Admin Console:

The Google Admin Console supports Chromebook device management and allows configuring a secure network and pushing Cisco Network Setup Assistant certificate management extensions to the Chromebook. The extension sends an SCEP request to Cisco ISE and installs the client certificate to allow secure connection and access to the network.

Best Practices for Using Chromebook Device in a Shared Environment

When a Chromebook device is used in a shared environment, such as schools and libraries, the Chromebook device is shared by different users. Some of the best practices that Cisco recommends include:

  • When onboarding a Chromebook device with a specific user (student or professor) name, the user's name will be populated in the Common Name (CN) in the Subject field of the certificate. Also, the shared Chromebook is listed in the My Devices portal under that specific user. Therefore, it is recommended for shared devices to use a shared credential when onboarding, so that devices show up only under the specific user’s My Devices portal listing. The shared account can be administered by the administrator or professor as a separate account to control shared devices.

  • The Cisco ISE administrator can create a custom certificate template for shared Chromebook devices and use it in the policy. For example, instead of using the standard certificate template that matches the Subject-Common Name (CN) value, you can specify a Name (for example, chrome-shared-grp1) in the certificate and the same name can be assigned to the Chromebook device. A policy can be designed to match the name to allow or deny access to a Chromebook device.

  • The Cisco ISE administrator can create an endpoint group with all the Chromebook devices’ MAC addresses that needs to go through Chromebook onboarding (devices for which access need to be restricted). The authorization rule should call this out along with device type Chromebook—this would allow access to be redirected to the NSP.

Configure the Network and Force Extensions in the Google Admin Console

The Google administrator performs the following steps.

Procedure

Step 1

Log in to the Google Admin Console.

  1. Enter the following URL: https://admin.google.com in the browser.

  2. Enter the required username and password.

  3. In the Welcome to Admin Console window, click Device Management.

  4. On the Device Management window, click Network.

Step 2

Set up the Wi-Fi network for managed devices.

  1. In the Networks window, click Wi-Fi.

  2. Click Add Wi-Fi to add the required SSIDs. See Google Admin Console - Wi-Fi Network Settings for more information.

    For MAB flows, create two SSIDs, one for the open network, and the other for certificate authentication. When you connect to the open network, Cisco ISE ACLs redirect you to the credentialed guest portal for authentication. After successful authentication, ACLs redirect you to the BYOD portal.

    If the ISE certificate is issued by an intermediate CA, then you must map the intermediate certificate to the "Server certificate authority", instead of to the Root CA.

  3. Click Add.

Step 3

Create the forced extensions.

  1. In the Device Management window, under the Device Settings , click Chrome Management.

  2. Click User Settings.

  3. Scroll down, and in the Apps and Extensions section, in the Force-Installed Apps and Extensions option, click Manage Force-Installed Apps.

Step 4

Install the forced extensions.

  1. In the Force-Installed Apps and Extensions window, click Chrome Web Store.

  2. In the Search text box, type "Cisco Network Setup Assistant" to locate the extension.

    The forced Cisco Network Setup Assistant extension of the Chromebook device requests the certificate from Cisco ISE, and installs the ISE certificate on the Chromebook device. The extension must be configured as force-installed because certificate installation is only allowed for managed devices. If the extension was not installed during the enrollment process, the Cisco ISE certificate cannot be installed.

    See the Cisco ISE Internationalization and Localization section in

  3. Click Add to force install apps.

  4. Click Save.

Step 5

(Optional) Define the configuration file to install a certificate in a Chromebook device which is shared by multiple users.

  1. Copy and paste the following code in a Notepad file and save it to your local disk. 

    {
  "certType": {
    "Value": "system"
  }
}

  2. Choose Device Management > Chromebook Management > App Management.

  3. Click the Cisco Network Setup Assistant extension.

  4. Click User Settings and choose your domain.

  5. Click Upload Configuration File and choose the .txt file that you saved in your local disk.

    Note

     

    In order for the Cisco Network Setup Assistant to create a certificate for a device that is shared by multiple users, you must add the Notepad file in the Google Admin Console. Otherwise, the Cisco NSA creates a certificate for a single user.

  6. Click Save.

Step 6

(Optional) Install a certificate for a single user who does not share the Chromebook.

  1. Choose Device Management > Network > Certificates.

  2. In the Certificates window, click Add Certificate and upload the Cisco ISE certificate file.

What to do next

Configure Cisco ISE for Chromebook on board.

Configure Cisco ISE for Chromebook Onboarding

Before you begin

The Cisco ISE administrator must create the required policy in the Policy > Policy Sets window.

Given below is an example of an authorization policy:

Rule Name: Full_Access_After_Onboarding, Conditions: If RegisteredDevices AND Wireless_802.1x AND Endpoints:BYODRegistration EQUALS Yes AND Certificate: Subject Alternative Name Equals RadiusCalling-Station-ID AND Network Access: EAP-Authentication EQUALS EAP-TLS Then CompliantNetworkAccess.

The CompliantNetworkAccess is an authorization result configured in the Policy > Policy Elements > Results > Authorization > Authorization Profiles window.

Procedure

Step 1

Configure the Native Supplicant Profile (NSP) on Cisco ISE.

  1. Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

    The Chromebook device is displayed in the Client Provisioning page for a fresh Cisco ISE installation. However, for upgrade, you should download posture updates from the Administration > System > Settings > Posture > Updates window.

  2. Click Add > Native Supplicant Profile.

  3. Enter the Name and Description.

  4. In the Operating System field, choose Chrome OS All.

  5. In the Certificate Template field, select the required certificate template.

  6. Click Submit. Observe that the SSID is provisioned via the Google Admin Console and not through the native supplicant provisioning flow.

Step 2

Map the NSP in the Client Provisioning page.

  1. Choose Policy > Client Provisioning.

  2. Define the result.

    • Choose the in-built Native Supplicant configuration (Cisco-ISE-Chrome-NSP) in the Results of the client provisioning policy.

    • Or, create a new rule and ensure to choose the Result created for the Chromebook device.

Wipe a Chromebook Device

The Chromebook device must be wiped after the Google Admin Console is configured by the Google Administrator. The Chromebook user must wipe the device, which is a one-time process, to force extensions and configure the network settings. You can refer to the following URL: https://support.google.com/chrome/a/answer/1360642 for further information.

The Chromebook user performs the following steps:

Procedure

Step 1

Press Esc-Refresh-Power key combination. The screen displays a yellow exclamation point (!).

Step 2

Press Ctrl -D key combination to begin dev mode, then press Enter key. The screen displays a red exclamation point.

Step 3

Press Ctrl -D key combination. The Chromebook deletes its local data, returning to its initial state. The deletion takes approximately 15 minutes.

Step 4

When the transition completes, press the Spacebar key, then press the Enter key to return to verified mode.

Step 5

Enroll the Chromebook before signing in.

What to do next

Enroll Chromebook to the Google Admin Console.

Enroll Chromebook to the Google Admin Console

In order to provision a Chromebook device, the Chromebook user must first enroll in the Google Admin Console page and receive device policies and forced extensions.

Procedure

Step 1

Turn on the Chromebook device and follow the onscreen instructions until you see the sign on screen. Do not sign in yet.

Step 2

Before signing in to the Chromebook device, press Ctrl-Alt-E key combination. The Enterprise Enrolment screen appears.

Step 3

Enter your email address and click Next.

You will receive the following message: Your device has successfully been enrolled for enterprise management.

Step 4

Click Done.

Step 5

Enter the username and password from your Google admin welcome letter, or the username and password for an existing Google Apps user on your account that has eligibility to enroll.

Step 6

Click Enroll Device. You will receive a confirmation message that the device has been successfully enrolled.

Note that the Chromebook enrollment is a one-time process.

Connect Chromebook to the Cisco ISE Network for BYOD On Boarding

The procedure is for Dual SSID—To connect to a 802.x network using the EAP-TLS protocol, the Chromebook user performs the following steps:


Note

If you are using Dual SSID—When connecting from 802.x PEAP to an EAP-TLS network, connect to the network by entering your credentials in the network supplicant, not the web browser.

Procedure

Step 1

In the Chromebook, click Settings.

Step 2

In the Internet Connection section, click Provisioning Wi-Fi Network, and then click your network.

Step 3

The credentialed guest portal opens.

  1. On the Sign On page, enter the Username and Password.

  2. Click Sign-on.

Step 4

In the BYOD Welcome page, click Start.

Step 5

In the Device Information field, enter a name and a description for your device. For example, "Personal Devices: Jane's Chromebook Used for School or Shared Devices: Library Chromebook #1 or Classroom 1 Chromebook #1".

Step 6

Click Continue.

Step 7

Click Yes in the Cisco Network Setup Assistant dialog box to install the certificate to access the secure network.

If the Google Administrator configured secure Wi-Fi, the network connection should happen automatically. If it does not, choose the secure SSID from the list of available networks.

Chromebook users who have already enrolled in the domain, and have the Cisco Network Setup Assistant extension, can update the extension without waiting for the auto update. Manually update the extension by performing the following steps.

  1. In your Chromebook, open the browser and enter the following URL: chrome://Extensions.

  2. Check the Developer Mode check box.

  3. Click Update Extensions Now.

  4. Verify that the Cisco Network Setup Assistant extension version is 2.1.0.35 and higher.

Google Admin Console - Wi-Fi Network Settings

The Wi-Fi network configuration is used to configure an SSID in a customer network or to match the certificate using certificate attributes (for EAP-TLS). When the certificate is installed in the Chromebook, it is synchronized with the Google admin settings. Connection is established only when one of the defined certificate attributes matches the SSID configuration.

Listed below are the mandatory fields, specific to EAP-TLS, PEAP, and Open network flows, which the Google administrator configures to set up the Wi-Fi network in the Google Admin Console page (Device Management > Network > Wi-Fi > Add Wi-Fi) for each Chromebook user.

Field

EAP-TLS

PEAP

Open

Name

Enter the name of the network connection.

Enter the name of the network connection.

Enter the name of the network connection.

Service Set Identifier (SSID)

Enter the SSID (for example, tls_ssid).

Enter the SSID (for example, tls_ssid).

Enter the SSID (for example, tls_ssid).

This SSID Is Not Broadcast

Select the option.

Select the option.

Select the option.

Automatically Connect

Select the option.

Select the option.

Select the option.

Security Type

WPA/WPA2 Enterprise (802.1x)

WPA/WPA2 Enterprise (802.1x)

Open

Extensible Authentication Protocol

EAP-TLS

PEAP

Inner Protocol

  • Automatic

  • MSCHAP v2 (Select the option)

  • MD5

  • PAP

  • MSCHAP

  • GTC

Outer Identity

Username

Optional, either set a fixed value or use variables from the user login: ${LOGIN_ ID} or ${LOGIN_EMAIL}.

Enter the PEAP credentials to authenticate against ISE (internal ISE user/AD/other ISE identities) and the Password field.

Server Certificate Authority

Select the ISE certificate (imported from Device Management > Network > Certificates).

Select the ISE certificate (imported from Device Management > Network > Certificates).

Restrict Access to this Wi-Fi Network by Platform

  • Select Mobile Devices.

  • Select Chromebooks.

  • Select Mobile Devices.

  • Select Chromebooks.

Client Enrollment URL

Enter a URL to which the Chromebook device browser is redirected for users who are not enrolled. Configure ACLs on the Wireless LAN Controller for redirecting unenrolled users.

Issuer Pattern

An attribute in the certificate. Select at least one attribute from either the Issuer Pattern or Subject Pattern that should match installed certificate attributes. Specify certificate attributes that will be matched with the Chromebook device to accept the certificate.

  • Common Name: Refers to the Subject field of the certificate or the wildcard domain in the Subject field of the certificate, which must match the FQDN of the node.

  • Locality: Refers to the test locality (City) that is associated with the certificate subject.

  • Organization: Refers to the organization name that is associated with the certificate subject.

  • Organizational Unit: Refers to the organizational unit name that is associated with the certificate subject.

Subject Pattern

An attribute in the certificate. Select at least one attribute from either the Issuer Pattern or Subject Pattern that should match installed certificate attributes. Specify certificate attributes that will be matched with the Chromebook device to accept the certificate.

  • Common Name: Refers to the Subject field of the certificate or the wildcard domain in the Subject field of the certificate, which must match the FQDN of the node.

  • Locality: Refers to the test locality (City) that is associated with the certificate subject.

  • Organization: Refers to the organization name that is associated with the certificate subject.

  • Organizational Unit: Refers to the organizational unit name that is associated with the certificate subject.

Proxy Settings

  • Direct Internet Connection (Selected)

  • Manual Proxy Configuration

  • Automatic Proxy Configuration

  • Direct Internet Connection (Selected)

  • Manual Proxy Configuration

  • Automatic Proxy Configuration

Apply Network

By User

By User

Monitor Chromebook Device Activities in Cisco ISE

Cisco ISE provides various reports and logs to view information related to the authentication and authorization of Chromebook devices. You can run these reports either on demand or on regular basis. You can view the authentication method (for example, 802.1x) and authentication protocol (for example, EAP-TLS) in the Operations > RADIUS > Live Logs window. You can also identify the number of end points that are classified as Chromebook devices by navigating to the Work Centers > Network Access > Identities > Endpoints window.

Troubleshoot Chromebook Device Onboarding

This section describes problems that you may encounter while onboarding your Chromebook device.

  • Error: Unable to install the extension from the webstore—You cannot install the extension from the webstore. It will be automatically installed on your Chromebook device by the network administrator.

  • Error: Completed the installation of the certificate, however, unable to connect to the secure network—Verify on the Admin Console that the installed certificate matches defined Issuer/Subject attribute pattern. You can get information about installed certificate from: chrome://settings/certificates

  • Error: Displays an error message "Obtain Network Certificate", when trying to manually connect to the secure network on the Chromebook—Click Get New Certificate, the browser opens and redirects you to the ISE BYOD flow to install the certificate. However, if you are unable to connect to the secure network, verify on the Admin Console that the installed certificate matches the defined Issuer/Subject attribute pattern.

  • Error: Clicked Get New Certificate but is forwarded to the www.cisco.com site—User needs to be connected to the provisioning SSID, in order to be redirected to ISE and commence the certificate installation process. Be sure that the correct access list is defined for this network.

  • Error: Displays an error message "Only managed devices can use this extension. Contact helpdesk or network administrator"—Chromebook is a managed device and the extension must be configured as a forced install to gain access to the Chrome OS APIs to install the certificate on the device. Although, the extension can be installed manually by downloading it from the Google web store, an unenrolled Chromebook user cannot install the certificate.

    An unenrolled Chromebook device can secure a certificate if the user belongs to the Domain Users group. The extension tracks the domain user on any device. However, the domain user can produce user-based authentication keys for an unenrolled device.

  • Error: Unclear of the order in which SSIDs are connected in the Google Admin Console—

    • If several SSIDs (PEAP and EAP-TLS) are configured on the Google Admin Console, after the certificate is installed and the attributes are matched, the Chrome OS automatically connects to the SSID with certificate-based authentication regardless of the order in which the SSIDs are configured.

    • If two EAP-TLS SSIDs match the same attribute, the connection depends on other factors such as signal strength and other network level signals, which cannot be controlled by the user or admin.

    • If multiple EAP-TLS certificates are installed on the Chromebook device and all of them match the certificate pattern configured on the Admin Console, the newest certificate will be used for the connection.

Cisco AnyConnect Secure Mobility

Cisco ISE uses an integrated module in Cisco AnyConnect for Cisco ISE posture requirements. Cisco AnyConnect is the posture agent that coexists with Cisco ISE NAC Agent on the same endpoint. Only one of the agents is active at a time.


Note

AnyConnect does not support CWA flow. You can't provision AnyConnect from the Guest portal using the Require guest device compliance field in the Work CentersGuest Access > Portals & Components > Guest Portals > Create, Edit, or Duplicate > Portal Behavior and Flow Settings > Guest Device Compliance Settings window. Instead, provision AnyConnect on the Client Provisioning portal. This method results in redirection as configured in authorization permissions.

When you integrate Cisco ISE with the Cisco AnyConnect agent, Cisco ISE:

  • Serves as a staging server to deploy Cisco AnyConnect Version 4.0 and future releases

  • Interacts with the AnyConnect posture component for Cisco ISE posture requirements

  • Supports deployment of Cisco AnyConnect profiles, customization and language packages, and OPSWAT library updates for Windows and Mac OS X operating systems

  • Supports Cisco AnyConnect and legacy agents at the same time


Note

When switching network mediums, you must change the default gateway so the posture module can detect the changed network and reassess the client.

Create AnyConnect Configuration

AnyConnect configuration includes AnyConnect software and its associated configuration files. This configuration can be used in the client provisioning policy that allows users to download and install AnyConnect resources on the clients. If you use both ISE and an ASA to deploy AnyConnect, then the configurations must match on both headends.

To push the ISE posture module when connected to a VPN, Cisco recommends that you install the AnyConnect agent through Cisco Adaptive Security Appliance (ASA), which uses the Cisco's Adaptive Security Device Manager (ASDM) GUI tool. ASA does the installation using the VPN downloader. With the download, the ISE posture profile is pushed via ASA, and the discovery host needed for later provisioning the profile is available before the ISE posture module contacts ISE. Whereas with ISE, the ISE posture module will get the profile only after ISE is discovered, which could result in errors. Therefore, ASA is recommended to push the ISE posture module when connected to a VPN.


Note
When Cisco ISE is integrated with ASA, ensure that the Accounting mode is set to Single in ASA. Accounting data is sent to only one accounting server in Single mode.

Before you begin

Before configuring an AnyConnect configuration object, you must:

  1. Download the AnyConnect Headend Deployment package and compliance module from Cisco Software download page.

  2. Upload these resources to Cisco ISE (see Add Cisco Provided Client Provisioning Resources from a Local Machine).

  3. (Optional) Add the customization and localization bundles (see Add Customer Created Resources for AnyConnect from a Local Machine).

  4. Configure an AnyConnect posture agent profile (see Create a Posture Agent Profile).

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Click Add to create an AnyConnect configuration.

Step 3

Choose AnyConnect Configuration.

Step 4

Choose an AnyConnect Package, which you previously uploaded. For example, AnyConnect DesktopWindows xxx.x.xxxxx.x .

Step 5

Enter the name for the current AnyConnect Configuration. For example, AC Config xxx.x.xxxxx.x.

Step 6

Choose the compliance module, which you previously uploaded. For example, AnyConnect ComplianceModulewindows x.x.xxxx.x.

Step 7

Check one or more AnyConnect module check boxes. For example, choose one or more modules from the following: ISE Posture, VPN, Network Access Manager, Web Security, AMP Enabler, ASA Posture, Start Before Log on (only for Windows OS), and Diagnostic and Reporting Tool.

Note

 
Un-checking the VPN module under AnyConnect Module Selection does not disable the VPN tile in the provisioned client. You must configure VPNDisable_ServiceProfile.xml to disable the VPN tile on AnyConnect GUI. In a system where AnyConnect is installed at the default location, you can find this file under C:\Program Files\Cisco. If AnyConnect is installed at a different location, then the file will be available under <AnyConnect Installed path>\Cisco.

Step 8

Choose AnyConnect profiles for selected AnyConnect modules. For example, ISE Posture, VPN, NAM, and Web Security.

Step 9

Choose AnyConnect customization and localization bundles.

Step 10

Click Submit.

Create a Posture Agent Profile

Use this procedure to create an AnyConnect posture agent profile, where you can specify parameters that define the agent behavior for the posture protocol.

Procedure

Step 1

Choose Policy > Policy Elements > Results > Client Provisioning > Resources.

Step 2

Click Add.

Step 3

Choose NAC AnyConnect Agent Posture Profile.

Step 4

Under Posture Agent Profile Settings, choose AnyConnect

Step 5

Configure parameters for the following:

  • Cisco ISE posture agent behavior

  • Client IP Address Changes

  • Cisco ISE posture protocol

Step 6

Click Submit.

Client IP Address Refresh Configuration

The following table describes the fields in the NAC AnyConnect Posture Profile window, which allows you to configure parameters for the client to renew or refresh its IP address after VLAN change. Choose Policy > Policy Elements > Resilts > Client Provisioning > Resources > Add > NAC or AnyConnect Posture Profile.

Field Name

Default Value

Mode (Applies only to Cisco NAC Agent)

Usage Guidelines

VLAN detection interval

0, 5

Merge

This setting is the interval at which the agent check for the VLAN change.

For the Windows NAC agent, the default value is 0. By default, the access to authentication VLAN change feature is disabled for Windows. The valid range is 0 to 5 seconds.

For the Mac OS X agent, the default value is 5. By default, the access to authentication VLAN change feature is enabled with VlanDetectInteval as 5 seconds for Mac OS X. The valid range is 5 to 900 seconds.

0 —Access to Authentication VLAN change feature is disabled.

1 to 5—Agent sends an Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP) query every 5 seconds.

6 to 900—An ICMP or ARP query is sent every x seconds.

Enable VLAN detection without UI (Not applicable for a Mac OS X client)

No

Merge

This setting enables or disables VLAN detection even when the user is not logged in.

No—VLAN detect feature is disabled.

Yes—VLAN detect feature is enabled.

Retry detection count

3

Merge

If the Internet Control Message Protocol (ICMP) or Address Resolution Protocol (ARP) polling fails, this setting configures the agent to retry x times before refreshing the client IP address.

Ping or ARP

0

The valid range is 0 to 2.

Merge

This setting specifies the method used for detecting the client IP address change.

0—Poll using ICMP

1—Poll using ARP

2—Poll using ICMP first, then (if ICMP fails) ARP

Maximum timeout for ping

1

The valid range is 1 to 10 seconds.

Merge

Poll using ICMP, and if there is no response within the specified time, then declare an ICMP polling failure.

Enable agent IP refresh

Yes (Default)

Overwrite

This setting specifies whether or not the client machine to renew or refresh its IP address after the switch (or WLC) changes the VLAN for the login session of the client on the respective switch port.

DHCP renew delay

0

The valid range is 0 to 60 seconds.

Overwrite

This setting specifies that the client machine waits before attempting to request for a new IP address from the network DHCP server.

DHCP release delay

0

The valid range is 0 to 60 seconds.

Overwrite

The setting specifies that the client machine waits before releasing its current IP address.


Note
Merge parameter values with existing agent profile settings or overwrite them to appropriately configure clients on Windows and Mac OS X clients for refreshing IP addresses.

Posture Protocol Settings

Field Name

Default Value

Usage Guidelines

Continuous Endpoint Attribute Monitoring

You can use the AnyConnect agent to continuously monitor different endpoint attributes to ensure that dynamic changes are observed during posture assessment. This improves the overall visibility of an endpoint and helps you create posture policies based on their behavior. The AnyConnect agent monitors applications that are installed and running on an endpoint. You can turn on and off the feature and configure how often the data should be monitored. By default, data is collected every 5 minutes and is stored in the database. During initial posture, AnyConnect reports a complete list of running and installed applications. After initial posture, the AnyConnect agent scans the applications every X minute and sends the differences from the last scan to the server. The server displays the complete list of running and installed applications.

Cisco Web Agent

The Cisco Web Agent provides temporal posture assessment for client machines.

Users can launch the Cisco Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet.

After users log in to the Cisco Web Agent, the Web Agent gets the requirements that are configured for the user role and the operating system from the Cisco ISE server, checks the host registry, processes, applications, and services for required packages and sends a report back to the Cisco ISE server. If requirements are met on the client machine, the user is allowed network access. If requirements are not met, the Web Agent presents a dialog to the user for each requirement that is not satisfied. The dialog provides the user with instructions and the action to take for the client machine to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to accept the restricted network access while they try to remediate the client system so that it meets requirements for the user login role.


Note

ActiveX is supported only on the 32-bit versions of Internet Explorer. You cannot install ActiveX on a Firefox web browser or on a 64-bit version of Internet Explorer.

Configure Client Provisioning Resource Policies

For clients, the client provisioning resource policies determine which users receive which version of resources (agents, agent compliance modules, and agent customization packages or profiles) from Cisco ISE upon login and user session initiation.

For AnyConnect, resources can be selected from the Client Provisioning Resources window to create an AnyConnect configuration that you can use in the Client Provisioning Policy window. AnyConnect configuration specifies the AnyConnect software and its association with different configuration files that includes AnyConnect binary package for Windows and macOS clients, compliance module, module profiles, customization, and language packages.

Before you begin

  • Before you can create effective client-provisioning resource policies, ensure that you have added resources to Cisco ISE. When you download the agent compliance module, it always overwrites the existing one, if any, available in the system.

  • Check the native supplicant profile that is used in the client provisioning policy and ensure that the wireless SSID is correct. For iOS devices, if the network that you are trying to connect is hidden, check the Enable if target network is hidden check box in the iOS Settings area.

Procedure

Step 1

Choose Policy > Client Provisioning.

Step 2

From the Behavior drop-down list, choose one of the following options:

  • Enable: Ensures Cisco ISE uses this policy to help fulfill client-provisioning functions when users log in to the network and conform to the client-provisioning policy guidelines.

  • Disable: Cisco ISE does not use the specified resource policy to fulfill client-provisioning functions.

  • Monitor: Disables the policy and “watches” the client-provisioning session requests to see how many times Cisco ISE tries to invoke based on the “Monitored” policy.

Step 3

Enter a name for the new resource policy in the Rule Name text box.

Step 4

Specify one or more Identity Groups to which a user who logs into Cisco ISE might belong.

You can choose to specify the Any identity group type, or choose one or more groups from a list of existing Identity Groups that you have configured.

Step 5

Use the Operating Systems field to specify one or more operating systems that might be running on the client machine or device through which the user is logging into Cisco ISE.

You can choose to specify a single operating system like Android, Mac iOS, macOS or an umbrella operating system designation that addresses a number of client machine operating systems like Windows XP (All) or Windows 7 (All).

Note

 

Though the option to select macOS 10.6, 10.7, and 10.8 is available in the Client Provisioning window in Cisco ISE GUI, these versions are not supported by AnyConnect.

Step 6

In the Other Conditions field, specify a new expression that you want to create for this particular resource policy.

Step 7

For client machines, use the Agent Configuration option to specify which agent type, compliance module, agent customization package, and profile to make available and provision on the client machine.

It is mandatory to include the client provisioning URL in authorization policy to enable the agent to popup in the client machines. This prevents request from any random clients and ensures that only clients with proper redirect URL can request for posture assessment.

Step 8

Click Save.

What to do next

After you have successfully configured one or more client provisioning resource policies, you can start to configure Cisco ISE to perform posture assessment on client machines during login.

Configure Cisco ISE Posture Agent in the Client Provisioning Policy

For client machines, configure the agent type, compliance module, agent customization package, and/or profile to make available and provision for users to download and install on the client machine.

Before you begin

You must add client provisioning resources for AnyConnect in Cisco ISE.

Procedure

Step 1

Choose an available agent from the Agent drop-down list and specify whether the agent upgrade (download) defined here is mandatory for the client machine by enabling or disabling the Is Upgrade Mandatory option, as appropriate.

The Is Upgrade Mandatory setting only applies to agent downloads. Agent profile, compliance module, and agent customization package updates are always mandatory.

Step 2

Choose an existing agent profile from the Profile drop-down list.

Step 3

Choose an available compliance module to download to the client machine using the Compliance Module drop-down list.

Step 4

Choose an available agent customization package for the client machine from the Agent Customization Package drop-down list.

Configure Native Supplicants for Personal Devices

Employees can connect their personal devices to the network directly using native supplicants, which are available for Windows, Mac OS, iOS, and Android devices. For personal devices, specify which Native Supplicant configuration to make available and provision on the registered personal device.

Before you begin

Create native supplicant profiles so that when user log in, based on the profile that you associate with that users authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard to set up the users personal devices to access the network.

Procedure

Step 1

Choose Policy > Client Provisioning.

Step 2

Choose Enable , Disable , or Monitor from the behavior drop-down list.

Step 3

Enter a name for the new resource policy in the Rule Name text box.

Step 4

Specify the following:

  • Use the Identity Groups field to specify one or more Identity Groups to which a user who logs into Cisco ISE might belong.
  • Use the Operating System field to specify one or more operating systems that might be running on the personal device through which the user is logging into Cisco ISE.
  • Use the Other Conditions field to specify a new expression that you want to create for this particular resource policy.

Step 5

For personal devices, use Native Supplicant Configuration to choose the specific Configuration Wizard to distribute to these personal devices.

Step 6

Specify the applicable Wizard Profile for the given personal device type.

Step 7

Click Save.

Client Provisioning Reports

You can access the Cisco ISE monitoring and troubleshooting functions to check on overall trends for successful or unsuccessful user login sessions, gather statistics about the number and types of client machines logging into the network during a specified time period, or check on any recent configuration changes in client provisioning resources.

Client Provisioning Requests

The Operations > Reports > ISE Reports > Endpoints and Users > Client Provisioning report displays statistics about successful and unsuccessful client provisioning requests. When you choose Run and specify one of the preset time periods, Cisco ISE combs the database and displays the resulting client provisioning data.

Supplicant Provisioning Requests

The Operations > Reports > ISE Reports > Endpoints and Users > Supplicant Provisioning window displays information about recent successful and unsuccessful user device registration and supplicant provisioning requests. When you choose Run and specify one of the preset time periods, Cisco ISE combs the database and displays the resulting supplicant provisioning data.

The Supplicant Provisioning report provides information about a list of endpoints that are registered through the device registration portal for a specific period of time, including data like the Logged at Date and Time, Identity (user ID), IP Address, MAC Address (endpoint ID), Server, profile, Endpoint Operating System, SPW Version, Failure Reason (if any), and the Status of the registration.

Client Provisioning Event Logs

You can search event log entries to help diagnose a possible problem with client login behavior. For example, you may need to determine the source of an issue where client machines on your network are not able to get client provisioning resource updates upon login. You can use logging entries for Posture and Client Provisioning Audit and Posture and Client Provisioning Diagnostics.

Portal Settings for Client Provisioning Portals

Portal Settings

  • HTTPS Port: Enter a port value between 8000 to 8999; the default value is 8443 for all the default portals, except the Blacklist Portal, which is 8444. If you upgraded with port values outside this range, they are honored until you make any change to this page. If you make any change to this page, you must update the port setting to comply with this restriction.

  • Allowed Interfaces: Select the PSN interfaces which can run a portal. Only a PSN with an available allowed interface on a PSN can create a portal. You can configure any combination of physical and bonded interfaces. This is a PSN-wide configuration; all portals can only run on these interfaces, this interface configuration is pushed to all the PSNs.

    • You must configure the Ethernet interfaces using IP addresses on different subnets.

    • The interfaces you enable here must be available on all your PSNs, including VM-based ones when Policy Services turned on. This is required because any of these PSNs can be used for a redirect at the start of the guest session.

    • The portal certificate Subject Name/Alternate Subject Name must resolve to the interface IP.

    • Configure ip host x.x.x.x yyy.domain.com in ISE CLI to map secondary interface IP to FQDN, which will be used to match Certificate Subject Name/Alternate Subject Name.

    • If only the bonded NIC is selected, when the PSN attempts to configure the portal it first attempts to configure the Bond interface. If that is not successful, perhaps because there was no bond set upon that PSN, then the PSN logs an error and exits. It will NOT attempt to start the portal on the physical interface.

    • NIC Teaming or bonding is an O/S configuration option that allows you to configure two individual NICs for high availability (fault tolerance). If one of the NICs fails, the other NIC that is part of the bonded connection continues the connection. A NIC is selected for a portal based on the portal settings configuration:

      • If both physical NICs and the corresponding bonded NIC are configured - When the PSN attempts to configure the portal, it first attempts to connect to the Bond interface. If that is not successful, perhaps because there was no bond setup on that PSN, then the PSN attempts to start the portal on the physical interface.

  • Certificate Group Tag: Select the group tag of the certificate group to use for the portal’s HTTPS traffic.

  • Authentication Method: Choose which identity source sequence (ISS) or Identity Provider (IdP) to use for user authentication. The ISS is a list of Identity Stores that are searched in sequence to verify user credentials. Some examples include: Internal Guest Users, Internal Users, Active Directory, and LDAP.

    Cisco ISE includes a default client provisioning Identity Source Sequence for Client Provisioning Portals, Certificate_Request_Sequence.

  • Fully Qualified Domain Name (FQDN): Enter at least one unique FQDN and/or hostname for your Client Provisioning portal. For example, you can enter provisionportal.yourcompany.com, so that when the user enters either of those into a browser, they will reach the Client Provisioning Portal.

    • Update DNS to ensure that the FQDN of the new URL resolves to a valid Policy Services Node (PSN) IP address. Optionally, this address could point to a load balancer virtual IP address that serves a pool of PSNs.

    • To avoid certificate warning messages due to name mismatches, include the FQDN of the customized URL, or a wildcard, in the subject alternative name (SAN) attribute of the local server certificate of the Cisco ISE PSN.


    Note

    For Client Provisioning without URL redirection, the portal name that is entered in the Fully Qualified Domain Name (FQDN) field must be configured in the DNS configuration. This URL must be communicated to the users to enable Client Provisioning without URL redirection.

  • Idle Timeout: Enter the time in minutes that you want Cisco ISE to wait before it logs out the user if there is no activity in the portal. The valid range is from 1 to 30 minutes..


Note

In the Client Provisioning Portal, you can define the port number and the certificate so that the host allows you to download the same certificate for Client Provisioning and Posture. If the portal certificate is signed by the officials certificate authority, you will not receive any security warning. If the certificate is self-signed, you will receive one security warning for both the portals and Cisco AnyConnect Posture component.

Login Page Settings

  • Enable Login: Select this check box to enable the login step in the Client Provisioning Portal

  • Maximum failed login attempts before rate limiting: Specify the number of failed login attempts from a single browser session before Cisco ISE starts to artificially slow down the rate at which login attempts can be made, preventing additional login attempts. The time between attempts after this number of failed logins is reached is specified in Time between login attempts when rate limiting.

  • Time between login attempts when rate limiting: Set the length of time in minutes that a user must wait before attempting to log in again, after failing to log in the number of times defined in Maximum failed login attempts before rate limiting.

  • Include an AUP (on page/as link): Display your company’s network-usage terms and conditions, either as text on the page currently being displayed for the user or as a link that opens a new tab or window with AUP text.

  • Require acceptance: Require users to accept an AUP before they can access the portal. The Login button is not enabled unless the user accepts the AUP. If users do not accept the AUP, they will not be able to access the portal.

  • Require scrolling to end of AUP: This option displays only if Include an AUP on page is enabled. Ensure that the user has read the AUP completely. The Accept button activates only after the user has scrolled to the end of the AUP.

Acceptable Use Policy (AUP) Page Settings

  • Include an AUP: Display your company’s network-usage terms and conditions on a separate page to the user.

  • Require scrolling to end of AUP: Ensure that the user has read the AUP completely. The Accept button activates only after the user has scrolled to the end of the AUP.

  • On first login only: Display an AUP when the user logs into the network or portal for the first time only.

  • On every login: Display an AUP each time the user logs into the network or portal.

  • Every ______ days (starting at first login): Display an AUP periodically after the user first logs into the network or portal.

Post-Login Banner Page Settings

Include a Post-Login Banner page: Display additional information after the users successfully log in and before they are granted network access.

Change Password Settings

Allow internal users to change their own passwords: Allow employees to change their passwords after they log in to the Client Provisioning Portal. This only applies to employees whose accounts are stored in the Cisco ISE database and not to those stored in external databases, such as Active Directory or LDAP.

HTML Support for Client Provisioning Portal Language Files

The navigation path to this portal's Instructional Text , Content,Optional Content 1, and Optional Content 2 text boxes is Administration > Device Portal Management > Client Provisioning Portals > Edit > Portal Page Customization > Pages. You can use the View HTML Source icon in the mini-editor and add HTML code in your content.

These dictionary keys in the portal's language properties files support HTML in their text.

Note

This is not a complete list of the dictionary keys in the files.

  • key.guest.ui_client_provision_agent_installed_instructions_without_java_message

  • key.guest.ui_contact_instruction_message

  • key.guest.ui_success_message

  • key.guest.ui_client_provision_unable_to_detect_message

  • key.guest.ui_client_provision_instruction_message

  • key.guest.ui_client_provision_agent_installation_message

  • key.guest.ui_client_provision_posture_agent_check_message

  • key.guest.ui_vlan_instruction_message

  • key.guest.ui_client_provision_agent_installation_instructions_with_no_java_message

  • key.guest.ui_success_instruction_message

  • key.guest.ui_vlan_optional_content_1

  • key.guest.ui_vlan_optional_content_2

  • key.guest.ui_contact_optional_content_2

  • key.guest.ui_contact_optional_content_1

  • key.guest.ui_contact_optional_content_1

  • key.guest.ui_client_provision_posture_check_compliant_message

  • key.guest.ui_client_provision_optional_content_2

  • key.guest.ui_client_provision_optional_content_1

  • key.guest.ui_error_optional_content_2

  • key.guest.ui_error_optional_content_1

  • key.guest.ui_client_provision_posture_check_non_compliant_message

  • key.guest.ui_vlan_install_message

  • key.guest.ui_success_optional_content_1

  • key.guest.ui_success_optional_content_2

  • key.guest.ui_client_provision_posture_agent_scan_message