ISE BYOD Policy Configuration

Configure Cisco ISE to authenticate BYOD devices (iOS/Android) using EAP-TLS certificates issued by HashiCorp Vault PKI.

Overview

This guide configures ISE to support BYOD (Bring Your Own Device) scenarios where mobile devices authenticate to the Domus-Secure SSID using 802.1X EAP-TLS with Vault-issued client certificates.

BYOD Authentication Flow
Mobile Device (zfold7)
  ↓ EAP-TLS (Vault cert)
Wireless Controller (WLC)
  ↓ RADIUS Access-Request
ISE ({ise-psn-ip})
  ↓ Certificate Validation
  - Check CA: DOMUS-ISSUING-CA → DOMUS-ROOT-CA
  - Check CN: *.byod.{domain}
  - Check EKU: Client Authentication
  - Match policy: BYOD_Mobile
  ↓ RADIUS Access-Accept
  - VLAN: 10 (DATA_VLAN)
  - dACL: BYOD_INTERNET_ONLY (optional)

Prerequisites

  • ISE certificate authentication profile configured (DOMUS-ISSUING-CA trusted)

  • DOMUS-ROOT-CA and DOMUS-ISSUING-CA imported to ISE Trusted Certificates

  • Wireless network "Domus-Secure" configured on WLC

  • WLC configured as RADIUS client in ISE (Network Device)

  • BYOD device with Vault-issued certificate (see BYOD Certificate Enrollment with HashiCorp Vault)

Policy Set Configuration

Verify Existing Policy Set

Check if Domus-Secure 802.1X policy set exists (handles Domus-Secure SSID):

netapi ise get-policy-sets | grep -i "domus-secure"
│ Domus-Secure 802.1X │ 9557d91c-591b-4d8d-9898-657a62f28d76 │ enabled │

netapi documentation: See PRJ-NETAPI-ANTORA for full netapi ISE commands reference.

If not present, create the policy set:

netapi ise create-policy-set "Domus-Secure 802.1X" \
  --condition "Wireless_802.11-SSID EQUALS Domus-Secure" \
  --description "Enterprise WiFi policy for Domus-Secure SSID"

Policy Set Conditions

Table 1. Domus-Secure 802.1X Policy Set Matching Conditions
Attribute Operator Value

Wireless_802.11-SSID

EQUALS

Domus-Secure

This ensures the policy only applies to the Domus-Secure SSID, not wired connections or other SSIDs.

Authentication Policy

Allowed Protocols

The Domus-Secure 802.1X policy set should allow EAP-TLS for certificate-based authentication:

Allowed Protocol Service: Domus-Secure-Protocols

  • EAP-TLS: Enabled (certificate authentication)

  • PEAP-MSCHAPv2: Disabled (username/password - not for BYOD)

  • EAP-TTLS: Disabled

# Verify allowed protocols (GUI required for creation)
# netapi does not yet support allowed protocols management

Allowed Protocols configuration requires ISE GUI:

  1. Policy → Policy Elements → Results → Authentication → Allowed Protocols

  2. Create/edit "Domus-Secure-Protocols"

  3. Enable only: EAP-TLS, Allow EAP Chaining (if using EAP-TEAP)

Authentication Rules

Domus-Secure 802.1X policy set should have a default authentication rule using certificate authentication:

Table 2. Authentication Rule: BYOD_Certificate_Auth
Rule Name BYOD_Certificate_Auth

Conditions

If Wireless_802.11-SSID EQUALS Domus-Secure

Allowed Protocols

Domus-Secure-Protocols (EAP-TLS only)

Identity Source

Certificate Authentication Profile: DOMUS-ISSUING-CA

Action

CONTINUE (proceed to authorization)

Authorization Policy

Create Authorization Profile

Authorization profiles define what network access to grant BYOD devices:

Authorization Profile: BYOD_Mobile_Access
# Create authorization profile for BYOD devices
netapi ise create-authz-profile BYOD_Mobile_Access \
  --vlan 10 \
  --descr "BYOD mobile devices - Internet access only"

# Optional: Add dACL for restricted access
netapi ise create-authz-profile BYOD_Mobile_Restricted \
  --vlan 10 \
  --dacl "BYOD_INTERNET_ONLY" \
  --descr "BYOD with internet-only dACL"
Table 3. BYOD Authorization Profile Attributes
Attribute Value

Name

BYOD_Mobile_Access

Access Type

ACCESS_ACCEPT

VLAN

10 (DATA_VLAN)

dACL (optional)

BYOD_INTERNET_ONLY

AirSpace-ACL-Name (optional)

Not set (use VLAN ACL instead)

Create Authorization Rules

Authorization rules match BYOD certificates and apply the authorization profile:

Authorization Rule 1: BYOD Android Devices
netapi ise add-authz-rule "Domus-Secure 802.1X" \
  "BYOD_Android" \
  "BYOD_Mobile_Access" \
  --dict "Session" \
  --attr "EapChainingResult" \
  --value "android" \
  --operator "contains" \
  --rank 1

The above command is INCOMPLETE - netapi does not yet support complex certificate attribute matching. Use ISE GUI for initial configuration, then document the equivalent netapi command once supported.
Table 4. Authorization Rule: BYOD Certificate Match (via GUI for now)
Condition Operator Value

Certificate: Subject Common Name

MATCHES

*.byod.inside.domusdigitalis.dev

Certificate: Subject Alternative Name - DNS

CONTAINS

byod.inside.domusdigitalis.dev

Session: EapTunnel

EQUALS

EAP-TLS
Authorization Result

  • Authorization Profile: BYOD_Mobile_Access

  • Security Group: BYOD (optional, for TrustSec tagging)

Rule Ordering

Authorization rules are evaluated top-to-bottom (first match wins):

Table 5. Domus-Secure 802.1X Authorization Rule Order
Rank Rule Name Matches

1

BYOD_Certificate_Match

CN=*.byod.inside.domusdigitalis.dev

2

Default_Deny

Default rule (reject all others)

Network Device Configuration

Verify the wireless controller is configured as a RADIUS client in ISE:

# List network devices (NADs)
netapi ise get-nads | grep -i wlc

# Expected output shows WLC with RADIUS secret configured

If not present, add WLC as network device:

# Add WLC as network device
netapi ise add-nad \
  --name "WLC-Primary" \
  --ip "10.50.1.10" \
  --secret "<radius-shared-secret>" \
  --device-type "Cisco Wireless LAN Controller"

Downloadable ACL (Optional)

For granular control, create a dACL to restrict BYOD devices to internet-only access (no internal resources):

dACL: BYOD_INTERNET_ONLY
# Create dACL for BYOD internet-only access
netapi ise create-dacl BYOD_INTERNET_ONLY << 'EOF'
permit udp any host 10.50.1.1 eq 53
permit tcp any host 10.50.1.1 eq 53
permit ip any host 10.50.1.21 eq 1812
permit ip any host 10.50.1.21 eq 1813
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
EOF
dACL Logic

  1. Permit DNS to internal DNS server (10.50.1.1)

  2. Permit RADIUS to ISE (10.50.1.21) for re-authentication

  3. Deny RFC1918 - block all internal networks (10/8, 172.16/12, 192.168/16)

  4. Permit internet - allow all other traffic (internet destinations)

Testing BYOD Authentication

Pre-Flight Checklist

Before connecting device to Domus-Secure:

  • Device has Vault-issued certificate imported

  • Certificate is trusted (CA chain verified)

  • Domus-Secure SSID is visible

  • ISE policy set "Domus-Secure 802.1X" is enabled

  • Authorization profile "BYOD_Mobile_Access" exists

  • WLC is configured as RADIUS client in ISE

Connect Device to Domus-Secure

Android Connection Steps

  1. Settings → Network & Internet → Wi-Fi

  2. Tap "Domus-Secure" SSID

  3. Configure EAP method:

    • EAP method: TLS

    • Phase 2 authentication: None

    • CA certificate: Use system certificates (or select DOMUS-ROOT-CA)

    • User certificate: Select "Domus BYOD - Z Fold 7"

    • Identity: zfold7-evanusmodestus.byod.inside.domusdigitalis.dev

    • Anonymous identity: Leave blank

  4. Tap "Connect"

iOS Connection Steps

  1. Settings → Wi-Fi

  2. Tap "Domus-Secure" SSID

  3. Configure:

    • Username: iphone16-evanusmodestus.byod.inside.domusdigitalis.dev

    • Password: Leave blank (cert auth)

    • Mode: Automatic

    • Identity: Select imported certificate

  4. Tap "Join"

  5. Accept certificate trust prompt

Verify Connection

Device-Side Verification

Android:

# Via ADB
adb shell ip addr show wlan0
# Expected: IP in VLAN 10 range (10.50.10.x/24)

# Check DNS
adb shell getprop net.dns1
# Expected: 10.50.1.1

iOS:

Settings → Wi-Fi → Domus-Secure → (i) icon

  • Should show IP: 10.50.10.x

  • Subnet: 255.255.255.0

  • Router: 10.50.10.1

  • DNS: 10.50.1.1

ISE-Side Verification

Monitor ISE RADIUS live logs during authentication:

# Get ISE session for device MAC address
netapi ise mnt session <device-mac-address>

# Example for Z Fold 7
netapi ise mnt session a4:50:46:12:34:56

# Check authentication details
netapi ise mnt session <device-mac-address> --details
Expected ISE Session Output
Session ID: 0a3201150000xxxx
User Name: zfold7-evanusmodestus.byod.inside.domusdigitalis.dev
MAC Address: a4:50:46:12:34:56
IP Address: 10.50.10.105
VLAN: 10
Authorization Profile: BYOD_Mobile_Access
Authentication Method: EAP-TLS
Certificate CN: zfold7-evanusmodestus.byod.inside.domusdigitalis.dev
Policy Set: Domus-Secure 802.1X

Network-Side Verification

Verify VLAN assignment on wireless controller:

# Check client status on WLC (if accessible via netapi)
netapi wlc show-client <device-mac>

# Check DHCP lease
netapi pfsense dhcp leases | grep -i <device-mac>

Troubleshooting

Authentication Fails: "Certificate Not Trusted"

Symptoms:

  • Device shows "Could not connect"

  • ISE logs show: "Certificate validation failed"

Cause: Device does not trust DOMUS-ROOT-CA

Fix:

  • Android: Settings → Security → Trusted credentials → User tab → Verify DOMUS-ROOT-CA is present

  • iOS: Settings → General → About → Certificate Trust Settings → Enable full trust for DOMUS-ROOT-CA

Authentication Fails: "No Authorization Rule Matched"

Symptoms:

  • ISE live logs show: "11001 No matching authorization rule"

Cause: Authorization rule conditions don’t match the certificate attributes

Debug:

# Check certificate attributes in ISE session
netapi ise mnt session <device-mac> --attributes

# Verify certificate CN matches rule condition
# Expected: CN=*.byod.inside.domusdigitalis.dev

Fix:

  • Verify authorization rule condition matches certificate CN pattern

  • Check that EapTunnel attribute is "EAP-TLS"

Device Connects But No Network Access

Symptoms:

  • Device shows "Connected" but cannot reach internet

  • IP address is correct (10.50.10.x)

Cause: dACL blocking traffic or firewall rules

Debug:

# Check applied dACL on switch/WLC
netapi ios exec "show wireless client mac-address <device-mac> detail" | grep -i acl

# Test connectivity from device
ping 8.8.8.8
ping 10.50.1.1  # Should be blocked if using BYOD_INTERNET_ONLY dACL

Fix:

  • If using dACL, verify ACL permits DNS, DHCP, and internet traffic

  • Check dACL ordering (permits before denies)

  • See Hardened dACL Configuration for ACL ordering rules

Device Gets Wrong VLAN

Symptoms:

  • Device receives IP in different VLAN (e.g., 10.50.40.x instead of 10.50.10.x)

Cause: Wrong authorization profile applied

Debug:

# Check which authorization profile was applied
netapi ise mnt session <device-mac> | grep "Authorization Profile"

# Verify authorization rule matching
netapi ise get-authz-rules "Domus-Secure 802.1X" --format json

Fix:

  • Verify authorization rule conditions match the device certificate

  • Check rule ordering (BYOD rule should be before default deny)

Certificate Expired

Symptoms:

  • Device previously worked, now fails to connect

  • ISE logs show: "Certificate expired"

Cause: BYOD certificates have 90-day TTL and expired

Fix:

  1. Issue new certificate from Vault (see BYOD Certificate Enrollment with HashiCorp Vault)

  2. Export to PKCS#12

  3. Import to device (will overwrite old certificate)

  4. Reconnect to Domus-Secure

Future Enhancement: Set up certificate expiration alerts at 80 days to proactively renew before expiration.

Monitoring and Reporting

Active BYOD Sessions

# List all active BYOD sessions
netapi ise mnt sessions --filter "AuthorizationProfile=BYOD_Mobile_Access"

# Count BYOD devices by platform
netapi ise mnt sessions --filter "AuthorizationProfile=BYOD_Mobile_Access" \
  --group-by "Device Type"

BYOD Authentication Failures

# Get failed authentications in last 24 hours
netapi ise mnt failures --hours 24 --filter "PolicySet=Domus-Secure 802.1X"

# Common failure reasons:
# - 11001: No matching authorization rule
# - 12301: Certificate validation failed
# - 12302: Certificate expired
# - 22037: Certificate chain incomplete

Security Considerations

Certificate Validation

ISE validates BYOD certificates using:

  1. CA Trust: Certificate signed by DOMUS-ISSUING-CA (chains to DOMUS-ROOT-CA)

  2. Validity Period: Current time within NotBefore and NotAfter

  3. Revocation Status: CRL/OCSP check (not yet configured)

  4. Extended Key Usage: Must include "Client Authentication" (1.3.6.1.5.5.7.3.2)

CRL/OCSP Not Configured

Revoked certificates will still authenticate until Vault CRL endpoint is configured in ISE.

Future enhancement: Configure ISE to check Vault CRL at vault.inside.domusdigitalis.dev:8200/v1/pki_int/crl

Network Segmentation

BYOD devices should be isolated from critical internal resources:

  • VLAN 10 (DATA_VLAN): General-purpose network with internet access

  • dACL: Block access to management VLANs (VLAN 1, 50, 60)

  • Firewall Rules: pfSense rules to restrict BYOD VLAN to internet-only

See Network Topology for network segmentation design.

TrustSec Integration (Future)

Cisco TrustSec can tag BYOD devices with Security Group Tag (SGT):

  • SGT 10: BYOD_Devices

  • SGT Policy: Allow internet, deny internal resources

  • Propagation: SGT propagated via SXP or inline tagging

TrustSec configuration is beyond the scope of this document. See Cisco ISE TrustSec documentation.

Next Steps

  • Test with actual Android device (Samsung Z Fold 7)

  • Test with iOS device (iPhone)

  • Document device-specific quirks

  • Configure certificate expiration alerts

  • Plan automated BYOD portal with Vault API integration

Related Documentation