Cisco Cisco 5508 Wireless Controller Guía Para Resolver Problemas
credentials in order to proceed to the provisioning phase. After successful authentication, the endpoint can be
provisioned into the endpoints database, and a certificate is generated for the endpoint. A link on the page
allows the employee to download the Supplicant Pilot Wizard (SPW).
provisioned into the endpoints database, and a certificate is generated for the endpoint. A link on the page
allows the employee to download the Supplicant Pilot Wizard (SPW).
Note: Refer to the FlexConnect Feature Matrix Cisco article in order to view the latest FlexConnect feature
matrix for BYOD.
matrix for BYOD.
Provisioning for iOS (iPhone/iPad/iPod)
For EAP−TLS configuration, ISE follows the Apple Over−the−Air (OTA) enrollment process:
After successful authentication, the evaluation engine evaluates client−provisioning policies, which
results in a supplicant profile.
results in a supplicant profile.
•
If the supplicant profile is for the EAP−TLS setting, the OTA process determines whether the ISE is
using self−signed or signed by an unknown CA. If one of the conditions is true, the user is asked to
download the certificate of either ISE or CA before the enrollment process can begin.
using self−signed or signed by an unknown CA. If one of the conditions is true, the user is asked to
download the certificate of either ISE or CA before the enrollment process can begin.
•
For other EAP methods, ISE pushes the final profile upon successful authentication.
•
Provisioning for Android
Because of security considerations, the Android agent must be downloaded from the Android marketplace site
and cannot be provisioned from ISE. Cisco uploads a release candidate version of the wizard into the Android
marketplace through the Cisco Android marketplace publisher account.
and cannot be provisioned from ISE. Cisco uploads a release candidate version of the wizard into the Android
marketplace through the Cisco Android marketplace publisher account.
This is the Android provisioning process:
Cisco uses the Software Development Kit (SDK) in order to create the Android package with a .apk
extension.
extension.
1.
Cisco uploads a package into the Android marketplace.
2.
The user configures the policy in client provisioning with the appropriate parameters.
3.
After registration of the device, the end user is redirected to the client provisioning service when
dot1x authentication fails.
dot1x authentication fails.
4.
The provisioning portal page provides a button that redirects user to the Android marketplace portal
where they can download the SPW.
where they can download the SPW.
5.
The Cisco SPW is launched and performs provisioning of the supplicant:
SPW discovers the ISE and downloads the profile from ISE.
1.
SPW creates a cert/key pair for EAP−TLS.
2.
SPW makes a Simple Certificate Enrollment Protocol (SCEP) proxy request call to ISE and
gets the certificate.
gets the certificate.
3.
SPW applies the wireless profiles.
4.
SPW triggers re−authentication if the profiles are applied successfully.
5.
SPW exits.
6.
6.
Dual SSID Wireless BYOD Self−Registration
This is the process for dual SSID wireless BYOD self−registration:
The user associates to the Guest SSID.
1.
The user opens a browser and is redirected to the ISE CWA Guest Portal.
2.
The user enters an employee username and password in the Guest Portal.
3.
ISE authenticates the user, and, based on the fact that they are an employee and not a guest, redirects
the user to the Employee Device Registration guest page.
the user to the Employee Device Registration guest page.
4.