Solved: Re: ISE and Aerohive for BYOB use case

mhornbak@cisco.com · ‎01-23-2017

Has anyone tested ISE with Aerohive wireless specifically for BYOB?

Craig Hyps · ‎01-26-2017

Basic AAA should work fine. Aerohive does have a RADIUS dictionary file, but it is primary focused on device admin priv settings. In general it will leverage standard IETF RADIUS attributes. Examples will often show use of RADIUS Filter-Id (typically used fro assigning ACL) as the attribute returned by AAA server. Aerohive AP will then map that to a local user profile.

Regarding advanced flows, one customer reported success with getting Local Web Auth to work (web auth occurs on local AP but credentials sent to ISE for authentication and policy assignment. CWA has not been verified as it does require that NAD (Aerohive AP in this case) be able to accept URL redirect info via RADIUS authorization, or else have its own local redirect which is capable of inserting the client MAC or IP as parameters in the users URI (browser request). ISE 2.1 added support to have PSN perform the redirect instead of the NAD using an Auth VLAN. This may work but not aware of anyone that has tested this combination with Aerohive AP. Expect changes to redirection requirements for Posture to be announced soon.

Another general requirement for the AP for advanced flows (those requiring redirection such as CWA, BYOD, MDM integration) is that it must support either SNMP-based or RADIUS-based CoA support so that ISE can change policy after web auth via CWA is complete, or when compliance status changes for Posture/MDM. An Aerohive forum post indicated that CoA support was added in 6.4r1 and enhanced in 6.6r1. This is the AAA setting which specifies support for Dynamic Change of Authorization (RFC3576).

Same post noted that RADIUS Accounting was not supported for MAC authentication, only 802.1X. This would be problematic for flows based on MAC auth like CWA and may cause issues with BYOD if using CWA as the initial auth method instead of 802.1X PEAP. This was a highly requested enhancement for over a year, so maybe it has since been added. You will need to create a new NAD Profile for Aerohive, or else duplicate existing one which has similar settings. For example, on Aerohive the 802.1X flows will use Service Type = Framed, but MAC Auth will set Service Type to Call-Check (similar to Cisco).

General profiling should work with essentially any vendor. Make sure the Calling Station Id is set to client MAC address. This will allow ISE to correlate the profile data received to a specific client MAC.

More formal Aerohive testing by Cisco is in the queue, but not yet completed. Feel free to reach out to your Cisco sales team to request status updates on Aerohive testing and to communicate the priority.

Hope this helps,

Craig

View solution in original post

Craig Hyps · ‎01-26-2017

Basic AAA should work fine. Aerohive does have a RADIUS dictionary file, but it is primary focused on device admin priv settings. In general it will leverage standard IETF RADIUS attributes. Examples will often show use of RADIUS Filter-Id (typically used fro assigning ACL) as the attribute returned by AAA server. Aerohive AP will then map that to a local user profile.

Regarding advanced flows, one customer reported success with getting Local Web Auth to work (web auth occurs on local AP but credentials sent to ISE for authentication and policy assignment. CWA has not been verified as it does require that NAD (Aerohive AP in this case) be able to accept URL redirect info via RADIUS authorization, or else have its own local redirect which is capable of inserting the client MAC or IP as parameters in the users URI (browser request). ISE 2.1 added support to have PSN perform the redirect instead of the NAD using an Auth VLAN. This may work but not aware of anyone that has tested this combination with Aerohive AP. Expect changes to redirection requirements for Posture to be announced soon.

Another general requirement for the AP for advanced flows (those requiring redirection such as CWA, BYOD, MDM integration) is that it must support either SNMP-based or RADIUS-based CoA support so that ISE can change policy after web auth via CWA is complete, or when compliance status changes for Posture/MDM. An Aerohive forum post indicated that CoA support was added in 6.4r1 and enhanced in 6.6r1. This is the AAA setting which specifies support for Dynamic Change of Authorization (RFC3576).

Same post noted that RADIUS Accounting was not supported for MAC authentication, only 802.1X. This would be problematic for flows based on MAC auth like CWA and may cause issues with BYOD if using CWA as the initial auth method instead of 802.1X PEAP. This was a highly requested enhancement for over a year, so maybe it has since been added. You will need to create a new NAD Profile for Aerohive, or else duplicate existing one which has similar settings. For example, on Aerohive the 802.1X flows will use Service Type = Framed, but MAC Auth will set Service Type to Call-Check (similar to Cisco).

General profiling should work with essentially any vendor. Make sure the Calling Station Id is set to client MAC address. This will allow ISE to correlate the profile data received to a specific client MAC.

More formal Aerohive testing by Cisco is in the queue, but not yet completed. Feel free to reach out to your Cisco sales team to request status updates on Aerohive testing and to communicate the priority.

Hope this helps,

Craig

ITInfrastructure@superiorgroce · ‎06-18-2020

would it possible to post the actual configuration

mhornbak@cisco.com wrote:
Has anyone tested ISE with Aerohive wireless specifically for BYOB?

that was used on the Aerohive to get it to talk to ISE

Jeffrey Jones · ‎06-29-2020

So does anyone have the configuration data for BYOD portal both on the ISE side, and on the aerohive side.