Cisco dCloud

Cisco ISE 2.3 Device Onboarding and Management v1

Last Updated: 25-APRIL-2018

About This Demonstration

This guide for the preconfigured demonstration includes:

• Requirements

• About This Solution

• Topology

• Get Started

• Scenario 1: Device Onboarding for BYOD

• Scenario 2: Device Management

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional

Preferred Endpoint Router ●

● dCloud Endpoint Router Kit, example (819HWD router), registered and
configured for dCloud (not internal AP will not work with this demo and
should be disabled)
Access Point
● Can be used along with an Endpoint Router (preferred), but can also be
used without. See this page for more information -
https://communities.cisco.com/docs/DOC-75552
● Wireless Access Point supporting 8.5 wlc code
● https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compa
tibility-matrix.html#pgfId-147162
Monitoring Workstation
● Laptop with AnyConnect
User Devices
● Tablet or Smartphone, or additional laptop (For best experience use an
iOS device, Android will also work but not as seamless as the iOS devices
for BYOD onboarding)
● Note BYOD onboarding in this demo is only supported with MAC OSX,
Windows, Android and Apple iOS

NOTE: It is required that you have at least two end user devices for this demonstration—one for monitoring and connecting to the
backend components, and at least one device to actually onboard. For example, if you plan on onboarding a laptop during the
demonstration, it is required that you have a second laptop. The first laptop would be necessary to access the dCloud
Workstation1 via RDP (to show the ISE UI and other demo features) and the second laptop would be necessary to demonstrate
joining the hotspot or guest networks.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 26
 Cisco dCloud

About This Solution

This guide helps you demonstrate the onboarding process for the Cisco BYOD solution, utilizing the Cisco Identity Services Engine
(ISE) in conjunction with wireless technologies.

The device onboarding sections of this guide demonstrate differentiated levels of network access based on user role. ISE supports
four levels of access:

• Guest only access – Users with guest access can access the Internet and the main portal URL, but are not allowed
access to internal portal resources or internal records. Guest user access is covered in the Guest Access Management
demo guide. That guide demonstrates various guest access scenarios including hotspot, self-registered guests, and
sponsored guests.

• Tier 2 Limited Access – Users with Tier 2 level access can access the Internet and the main portal URL for their
scenario, as listed in Table 3—Available Portals. Additionally, they will be able to access the internal resources of the
portal, but will not have access to internal records. Available Tier 2 username information is listed in Table 4—Credentials
and Access Level.

• Tier 1 Full Access – Users with Tier 1 level access have full access to the network resources. This includes full portal
access as well as Internet access. Full portal access allows Tier 1 users to access the main portal page as listed in Table
3—Available Portals, as well as internal resources and internal records for that portal. Available Tier 1 username
information is listed in Table 4—Credentials and Access Level.

See a list of supported user devices at http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-

207657

NOTE: If you are having problems with any of the redirect flows with ISE and Apple iOS devices, please check this link:

https://communities.cisco.com/community/technology/security/pa/ise/blog/2017/07/07/apple-ios-103-and-ise-web-redirection

NOTE: iOS 9 will not work with BYOD and the well known certificate we are using in this demo.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 26
 Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

Table 2. Demo Servers and Credentials

Device IP Address Access Method Username Password

Prime Infrastructure 198.18.133.65 Workstation1 Browser root C1sco12345

vWLC Private: 198.19.11.10 Workstation1 Browser

Session Owner Session ID
Public: See Session Details Local Browser

Workstation1 198.18.133.36 WebRDP or AnyConnect administrator C1sco12345

Exchange Server 198.18.133.2 WebRDP or AnyConnect administrator C1sco12345

AD1 198.18.133.1 WebRDP or AnyConnect administrator C1sco12345

Portals 198.18.133.110 Putty linuxuser C1sco12345

ISE 198.18.133.27 Workstation1 Browser admin C1sco12345

helpdesk_user
CSR 198.18.133.212 WebRDP or AnyConnect security_admin Session ID
Session Owner

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 26
 Cisco dCloud

Table 3. Available Portals

Scenario / Vertical Main Portal URL My Devices Portal URL

Default / dCloud N/A http://mydevices.securitydemo.net

Healthcare http://health.dcloud.cisco.com http://mydevices-health.securitydemo.net

Education http://edu.dcloud.cisco.com http://mydevices-edu.securitydemo.net

Federal http://federal.dcloud.cisco.com http://mydevices-fed.securitydemo.net

Corporate http://corp.dcloud.cisco.com http://mydevices-corp.securitydemo.net

Table 4. Credentials and Access Levels

Scenario / Vertical Username Password Access Level

Healthcare doctor C1sco12345 Tier 1 - Full Access

Healthcare nurse C1sco12345 Tier 2 – Limited Access

Education dean C1sco12345 Tier 1 – Full Access

Education professor C1sco12345 Tier 2 – Limited Access

Federal captain C1sco12345 Tier 1 – Full Access

Federal officer C1sco12345 Tier 2 – Limited Access

Corporate manager C1sco12345 Tier 1 – Full Access

Corporate employee C1sco12345 Tier 2 – Limited Access

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 26
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

3. Open Firefox on Workstation1. Your homepage is set to http://topo.dcloud.cisco.com, which allows you to view the topology
and links to backend demo components. Click the home button in Firefox if you ever need to get back to the topology screen.

4. On Workstation1, ensure your Country is enabled on the demo wireless controller (WLC). [Show Me How]

NOTE: The WLC login for this demo requires session specific credentials. The username is the name you use to log in to the
dCloud UI and the password is the session ID. You can obtain this information from the session details section of your active
demo. The generic username of dcloud is also provided, and can be used with the unique session ID as password, if necessary.

Figure 2. Login Credentials for WLC1

5. Provision your 3000, 2000, or 1000 Series AP [Show Me How] or your integrated 819W AP [Show Me How].

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 26
 Cisco dCloud

NOTE: If using an endpoint router, this step only needs to be completed once. This is a HIGHLY recommended when using these
demos. Without an endpoint router, the AP must be re-provisioning with the new demo WLC IP address EACH time you schedule
a new demo.

6. Click on Advanced in the upper right

7. Configure your AP in FlexConnect mode.

a. From the WLC, click WIRELESS in the menu bar.

b. Click on your AP.

Figure 3. Endpoint AP shown under the Wireless tab of the WLC

c. Click the General tab.

d. Make sure AP Mode is set to FlexConnect and click Apply.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 26
 Cisco dCloud

Figure 4. AP Mode - FlexConnect

NOTE: If your AP is not set properly to FlexConnect mode, you will not see any of the SSIDs being broadcast even if your AP is
successfully registered to the controller.

8. Verify your AP is operational. [Show Me How]

• You now have the option of connecting to Workstation1 through the AP. [Show Me How]

9. You may need to complete additional demonstration preparation activities, based on the location of your demonstration.

• Complete the additional demonstration preparation activities for demonstrating at a Cisco Office. [Show Me How]

• Complete the additional demonstration preparation activities for demonstrating at a Customer Site. [Show Me How]

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 26
 Cisco dCloud

Scenario 1. Device Onboarding for BYOD

Personal mobile devices such as smartphones and tablets have changed the way people work. The user demand for Bring Your
Own Device (BYOD) in the workplace has presented traditional network deployments with quite a challenge. Personal mobile
devices must be allowed to connect to the network securely. Additionally, these mobile devices should only receive the appropriate
level of network access. Cisco ISE has the flexibility to offer many different solutions to the BYOD challenge, ranging from very
simple to extremely complex, depending on customer needs.

In this scenario, employees bring their own personal and mobile devices into the workplace, and wish to connect them to the
network. To do that, you will first connect the device to the open dCloud-Guest SSID and go through an onboarding process. The
onboarding process allows the user to register their device automatically with the ISE system. Once registered, the user will later
be able to manage their personal devices through the ISE My Devices portal. Additionally, during the onboarding process ISE will
generate a digital certificate for the device using a built in certificate authority, and issue the certificate to the user device along with
a profile that instructs the device to connect to the secured dCloud-Registered SSID. After onboarding, the user safely and
securely connects to the secured wireless network using a digital certificate for authentication. Upon joining the secured network,
ISE dynamically assigns authorization policies for the user based on their role, giving the user only the network access required.

Steps

Device Onboarding

1. Clear settings for each personal User BYOD Device used in the demonstration. If device settings are not cleared, you may
not be redirected to the guest portal or other pages when needed.

a. Clear Web Cache. [Show Me How]

b. Clear Personal Device Settings. [Show Me How]

NOTE: Perform Steps 2-10 if you have already completed the Cisco ISE Guest Access Management demonstration. If you have
not already completed that guide, skip to Step 11.

2. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:

• Manually typing the URL into the address bar.

• Click the ISE bookmark in the bookmark toolbar.

• Clicking the home button and clicking the ISE icon from the topology homepage.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 26
 Cisco dCloud

3. Login as admin/C1sco12345.

Figure 5. Topology Portal

4. Navigate to Context Visibility > Endpoints

5. Check off all endpoints and delete them

NOTE: If you encounter a problem deleting the endpoints, clear your browser cache and try again.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 26
 Cisco dCloud

Figure 6. Deleting Endpoints from ISE

6. From Workstation1, access the WLC login page at http://wlc1.dcloud.cisco.com using one of the following methods:

• Manually typing the URL into the address bar.

• Clicking the bookmark for WLC1 in the bookmarks toolbar.

• Clicking the home button in the browser to be brought back to the Topology diagram, and clicking on the vWLC.

7. Login to the vWLC using the same device specific credentials used to provision endpoints during demonstration
preparation.

8. Select Advanced in the Upper Right

9. Click MONITOR in the top menu bar.

10. Click Clients on the left hand listing.

11. Any clients that previously joined the hotspot are listed. Scroll to the right and hover the mouse over the dropdown arrow until
it expands, then click Remove.

Figure 7. Deleting a client from the WLC

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 26
 Cisco dCloud

12. Connect the personal User BYOD Device to the open network SSID: dCloud-Guest.

NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Guest-123456.

13. Open the supported, built-in web browser on the personal User BYOD Device and browse to the Main Portal URL (shown in
Table 3—Available Portals) for the selected scenario. Click Continue if you encounter a security warning.

• Supported browsers: Apple devices (Safari), Windows devices (IE/Edge (recommended), Chrome or FF), Android devices
(Chrome).

14. Enter the username and password for the selected Tier 2 user on the Guest Portal (refer to Table 4—Credentials and
Access Levels).

15. When prompted, accept installation for certificates, profiles and apps and complete the enrollment process for your device.
[Show Me How]

NOTE: It is highly recommended that you read the Show Me How link above, since Apple devices have new requirements.

NOTE: Starting from ISE 2.2 , ISE supports dual ssid flow using the Apple Mini-Browser (Captive Network Assistant) that pops up
automatically when connecting to captive portal networks. This demo is bypassing the captive portal so that it doesn’t pop up
automatically. It is not recommended to use the captive portal in this flow. For more information see the community post pros/cons
of the different flows and methods utilized.

https://communities.cisco.com/docs/DOC-71469

NOTE: After device authentication, it may take up to 30 seconds for changes to take effect. If you have trouble connecting to
dCloud_Registered, wait a few moments and try again.

16. After the device supplicant and certificate have been provisioned, your device should be connected to the SSID
dCloud_Registered. If your device does not connect automatically, you should select the dCloud_Registered SSID in your
Wi-Fi settings.

17. Clear Personal Device Settings to forget the dCloud-Guest network. [Show Me How]

NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Registered-123456.

HIGHLIGHT
• The user device has been onboarded to use the network and has reconnected to the network securely using a certificate.
From this point forward, the device will automatically connect to the corporate network for easy access.
• Explain that entering Guest credentials puts the user through the guest flow. If you enter Network Access Credentials
(AD or internal users/non-guests) then you will be redirected to onboard the device using the Self Provisioning Portal.
• This demonstrates the Dual SSID flow. There is a Single SSID flow available where the user would connect to the secure
SSID first using PEAP/MSCHAPv2 and then be onboarded to connect via TLS.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 26
 Cisco dCloud

Network Security Policy Enforcement for Tier 2 Users

The user device has been successfully onboarded to the network, and should now have the appropriate level of access. Since the
user is a Tier 2 user, they should have access to the Internet, the main portal URL for their scenario as listed in Table 3—Available
Portals, and to internal resources for that portal. However, they should not have access to the internal records of the portal.

1. Open the native browser on the user device and navigate to http://www.cisco.com to demonstrate that the user has Internet
access.

2. Navigate back to the Main Portal URL associated with the selected scenario shown in Table 3—Available Portals. (i.e.
health.dcloud.cisco.com).

a. Click the General Resources link in the upper left. The user should have access to the general resources. Click the
Home link to return to the Main Portal URL.

b. Click the Internal Resources link in the middle left box. The user should have access to the internal resources section of
the portal.

c. From within the internal resources section, click the link for Internal Records. Depending on the portal, this link may be
named slightly different, for example, Corporate Financial Records. The user should not have access. Click the home link
to return to the Main Portal URL.

NOTE: The main portal pages for the four scenarios listed in Table 3—Available Portals differ only slightly. Each portal has the
same basic layout: each has a General Resources link accessible to all users, and an Internal Resources link for Tier 1 and Tier 2
users only. Once inside the internal resources section, each portal has two links that are restricted to Tier 1 users only. The Tier 1
only internal records links are listed below in Table 5—General/Internal Resources and Records per Portal.

For purposes of this demonstration, do not explore the My Registered Devices link on the main page at this time. That link will be
covered later in this demonstration.

Figure 8. The main portal URL for healthcare at http://health.dcloud.cisco.com

Table 5. General/internal Resources and Records per Portal

Scenario / Vertical General Resources (All) Internal Resources (Tier 1 & 2 Only) Internal Records (Tier 1 Only)

Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server

Education For Students and Guests For Faculty/Educators Student Records / Student Contacts

Federal For Visitors For Federal Agents Background Records / Human Resource Server

Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 26
 Cisco dCloud

Cleanup devices

The next step will be to onboard a Tier 1 user device. If you plan to use the same device that you did for Tier 2, you must go
through the cleanup process below. If you use a separate device to onboard for Tier 1, the cleanup process below is not
necessary, and you can continue to the network security policy enforcement for Tier 1 users section below.

NOTE: It is imperative that you follow the instructions below carefully. Because we have already gone through another flow, ISE
has already profiled the device, authenticated it, authorized it, and added it to an endpoint group. In order to be successful with the
next scenario, it is important that we remove the device completely from ISE and the WLC as well as clear local device settings.

1. Clear settings for each personal User BYOD Device used in the demonstration. If device settings are not cleared, you may
not be redirected to the guest portal or other pages when needed.

a. Clear Web Cache. [Show Me How]

b. Clear Personal Device Settings. [Show Me How]

2. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:

• Manually typing the URL into the address bar.

• Click the ISE bookmark in the bookmark toolbar.

• Clicking the home button and clicking the ISE icon from the topology homepage.

NOTE: Login using the userid/password combination of admin/C1sco12345.

3. Navigate to Context Visibility > Endpoints

4. Delete all endpoints

NOTE: If you encounter a problem deleting the endpoints, clear your browser cache and try again.

Figure 9. Deleting an Endpoint from ISE

5. From Workstation1 access the WLC login page at http://wlc1.dcloud.cisco.com using one of the following methods:

• Manually typing the URL into the address bar.

• Clicking the bookmark for WLC1 in the bookmarks toolbar.

• Clicking the home button in the browser to be brought back to the Topology diagram, and clicking on the vWLC.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 26
 Cisco dCloud

6. Login to the vWLC using the same device specific credentials used to provision endpoints during demonstration
preparation.

7. Click on Advanced in the upper right.

8. Click MONITOR in the top menu bar.

9. Click Clients on the left hand listing.

10. Any clients that previously joined the network are listed. Scroll to the right and hover the mouse over the dropdown arrow until
it expands, then click Remove.

Figure 10. Deleting a client from the WLC

Network Security Policy Enforcement for Tier 1 Users

We have seen how ISE dynamically provided access for a Tier 2 level user. Next, we will demonstrate how ISE offers a different
policy for Tier 1 users that includes access to the internal records.

1. Go through the Device Onboarding section a second time, logging in as a Tier 1 user instead of a Tier 2 user. Once you have
onboarded successfully, and have joined the dCloud-Registered SSID as a Tier 1 user, continue to the next step.

2. Clear Personal Device Settings to forget the dCloud-Guest network. [Show Me How]

NOTE: Throughout the demonstration, you will be connecting to specific dCloud WiFi signals. While we refer to them generically,
they will all be appended with the unique session ID, for example, dCloud-Registered-123456.

3. Open the native browser on the user device and navigate to http://www.cisco.com to demonstrate that the user has Internet
access.

4. Navigate back to the Main Portal URL associated with the selected scenario shown in Table 3—Available Portals above. (i.e.
health.dcloud.cisco.com).

5. Click the General Resources link in the upper left box. The user should have access to the general resources. Click the
home link to be brought back to the Main Portal URL.

6. Click the Internal Resources link in the middle left box. The user should have access to the internal resources section of the
portal.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 26
 Cisco dCloud

7. From within the internal resources section, click the link for Internal Records. As a Tier 1 user, the device should now have
access to the internal records.

Figure 11. Internal Records for Education Portal

Figure 12. Internal Records Accessed

NOTE: For the name of the Internal Records page for each portal, see Table 5—General/Internal Resources and Records per
Portal.

8. Click the Home link to return to the Main Portal URL.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 26
 Cisco dCloud

Demonstrating BYOD Flow in ISE

You have now on-boarded a device using both Tier 1 and Tier 2 access level credentials. Next, you will look briefly at the ISE UI, to
demonstrate the basics of how ISE dynamically profiled the device, and dynamically allowed the proper level of access

1. On Workstation1, launch Firefox.

2. In the Demo Devices section of the topology map, click ISE. This will bring you to the ISE login page at
https://ise.securitydemo.net.

Figure 13. Topology portal

3. Login with the username admin and the password C1sco12345.

4. Select Operations > RADIUS > Live Logs. This screen displays the most recent authentications and authorization attempts
in ISE.

Figure 14. Operations > RADIUS Livelog

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 26
 Cisco dCloud

In ISE, we can see the registration history as our Tier 2 and Tier 1 users were onboarded.

• Initially, the Tier 2 user connected to the open SSID dCloud-Guest and was authenticated/authorized using MAC
Authentication Bypass (MAB). ISE does not yet know who the user is, so it sends back the GUEST_REDIRECT policy.
This policy tells the WLC to redirect all user traffic to the ISE guest portal.

• The user then logged in as nurse (Tier 2 user) and the device was properly profiled as an Apple iPad.

• Once the user went through the onboarding process, the device was issued a digital certificate by the ISE CA, and the
user successfully logged into the secured dCloud-Registered network using the digital certificate. ISE dynamically
assigned the user the TIER2_WIRELESS_ACCESS authorization profile.

• The TIER2_WIRELESS_ACCESS profile returns the name of an ACL that is already preconfigured on the WLC. This
ACL allows the Tier 2 users to get to the main portal and internal portal, but not internal records.

Similarly, we see exactly what happened as the Tier 1 user onboarded (consistency).

• We can see that this time the user logged in with the Tier 1 user doctor, and that his device was correctly profiled as an
Apple OSX Mavericks Workstation.

• Because the doctor is a Tier 1 user, ISE assigns the TIER1_WIRELESS_ACCESS policy.

• Similar to the TIER2_WIRELESS_ACCESS policy, this returns to the WLC the name of an ACL. The Tier1 ACL allows
the user to access all portal resources, including internal records.

Figure 15. Tier 2 Onboarding Process

Figure 16. Tier 1 Onboarding Process

NOTE: ISE now features an integrated certificate authority (CA) to issue digital certificates. Next, you will explore the internal ISE
CA and see how it generated certificates for our Tier 1 and Tier 2 users.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 26
 Cisco dCloud

5. Go back to the ISE UI and click Administration > System > Certificates.

6. Under Certificate Authority, click Issued Certificates.

Figure 17. Certificates Generated & Issued by Internal ISE CA

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 26
 Cisco dCloud

Scenario 2. Device Management

Cisco ISE gives you the ability to onboard personal devices. You can also manage those devices in a number of different ways. To
do this, ISE uses the concept of the My Devices Portal. In this scenario, you will demonstrate the ISE My Devices Portal and
show how ISE can blacklist device access when a user device is marked as lost or stolen.

Steps

Revoking Network Access for Lost Devices

1. On Workstation1, launch Firefox from the desktop to access the topology home page at http://topo.dcloud.cisco.com.

2. In the Default Portal Logins section of the topology map, click My Devices. This will bring you to the ISE My Devices Portal
at https://mydevices.securitydemo.net.

Figure 18. Topology Portal

3. Login to the MyDevices portal with the same user credentials you used for the Tier 1 onboarding process (captain, doctor,
dean or manager).

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 26
 Cisco dCloud

4. Accept the AUP, then click Continue to move to the Manage Devices screen where you should see the device you onboarded
earlier for the Tier 1 user.

Figure 19. Manage Devices page in the My Devices Portal

5. Click any device you previously registered. You are brought to a screen where you can manage the device, and can
perform the following operations:

• Mark the device as lost or stolen.

• Edit the device description.

• Delete the device.

Figure 20. Operations in the Manage Devices section of the My Devices Portal

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 26
 Cisco dCloud

6. Click Lost to mark the device as being lost.

7. Click Yes to the confirmation window that pops up to confirm you wish to mark the device as lost. Verify the device now shows
as lost under Manage Devices.

NOTE: Because the device has been marked as lost by the user, Cisco ISE revokes network access for this device, adding the
device to a blacklisted device group, and dynamically pushing down a blacklist policy that restricts the device’s network access.

Figure 21. Lost Device

Examining Lost Devices in ISE UI

1. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:

• Manually typing the URL into the address bar.

• Click the ISE bookmark in the bookmark toolbar.

• Clicking the home button and clicking the ISE icon from the topology homepage.

2. Log in using the userid/password combination of admin/C1sco12345.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 26
 Cisco dCloud

3. Click on the Operations > RADIUS > Live log. This screen displays the most recent authentications and authorization
attempts in ISE. You can see that the user device has been dynamically assigned a new authorization profile called
Blackhole_Wireless_Access.

NOTE: When the user marks a device as lost, ISE adds that device to an internal blacklisted group, and dynamically sends back
the Blackhole_Wireless_Access policy to the device. This policy blacklists the device by sending back to the WLC the name of
an ACL preconfigured on the WLC that denies all traffic.

Figure 22. Blacklisted Device in ISE

4. After selecting the device that was marked lost, close the web browser and re-open it. When you try to access a web page,
you are redirected to the ISE blacklist portal. Click Continue through any security or certificate warnings.

Figure 23. Blacklist Portal

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 26
 Cisco dCloud

Reinstating Network Access For Lost Devices

If the device remains lost, ISE will continue to blacklist it indefinitely. However, if a lost device is found, the user has the ability to
reinstate network access for that device.

1. On Workstation1, navigate to the MyDevices Portal.

2. Select the device marked as lost to get to the Manage Device screen.

3. Click Reinstate and confirm by clicking Yes. The device is again marked as registered instead of lost in the Manage Devices
window.

Figure 24. Reinstate

NOTE: ISE has now reinstated the device. The device has been removed from the blacklist group automatically, and ISE has
dynamically sent back the proper Tier 1 authorization policy to the WLC. This process is seamless to the user, and the user does
not need to go through the onboarding process again.

4. In ISE, click Operations > RADIUS Livelog to see the most recent events. You can see that ISE has dynamically pushed
down the TIER1_WIRELESS_ACCESS policy, as the device has been reinstated.

Figure 25. Device Reinstatement in ISE

NOTE: ISE is able to dynamically update the device network access policy by sending AAA CoA (Change of Authorization)
messages to the WLC. This can be done with proper configuration and a supported WLC or switch for seamless transitions.

5. On the user device, open a web browser and access http://www.cisco.com to demonstrate that the device has been
reinstated.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 26
 Cisco dCloud

Revoking Network Access for Stolen Devices

1. On Workstation1, navigate to the MyDevices Portal.

2. Click the device you previously registered.

3. Click Stolen to mark the device as being stolen. Click Yes to the confirmation window that pops up to confirm you wish to
mark the device as stolen.

Figure 26. Operations in the Manage Devices Section

4. Verify the device now shows as stolen under manage devices.

Figure 27. Stolen Device

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 26
 Cisco dCloud

NOTE: Because the device has been marked as stolen by the user, Cisco ISE revokes network access for this device. In this
scenario, ISE has already issued a digital certificate for the device using the internal CA. ISE revokes the certificate that was
previously issued and adds the device to a Stolen device group.

This scenario is notably different from the lost situation, because ISE revokes the user certificate. Once a certificate is revoked,
that certificate can never be unrevoked for security purposes. If the device is recovered in the future, the device must be re-
onboarded and must obtain a new digital certificate from ISE as a security measure.

Once the device is marked as stolen the end user device will immediately be kicked off the network. The device will fail
authentication for all future attempts to access the dCloud-Registered network, due to the revoked device certificate.

It may take up to 30 seconds for ISE to revoke the device certificate.

Even though the device has been designated stolen in ISE, the device may still successfully access a previously connected
wireless network that is not part of the demo.

Examining Stolen Devices in ISE UI

1. From Workstation1 open Firefox, and login to ISE at https://ise.securitydemo.net using one of the following methods:

• Manually typing the URL into the address bar.

• Click the ISE bookmark in the bookmark toolbar.

• Clicking the home button and clicking the ISE icon from the topology homepage.

2. Login to ISE using the userid/password combination of admin/C1sco12345.

3. Hover your mouse on the Operations > RADIUS > Live log. On this screen, we can see the most recent authentications and
authorization attempts in ISE. You can see that the user device marked as Stolen is now Failing Authentication, since its
certificate was revoked by ISE.

Figure 28. ISE Denies Access for Stolen Device

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 26
 Cisco dCloud

4. Click Administration > System > Certificates.

5. Under Certificate Authority, click Issued Certificates. Demonstrate that the device certificate is permanently revoked.

Figure 29. ISE Permanently Revokes the Certificate of a Stolen Device

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 26