topic Re: Same certificate for all devices vs PSK or IPSK ? in Network Access Control

Same certificate for all devices vs PSK or IPSK ?

piotrPaszk — Mon, 17 Jun 2019 11:53:00 GMT

Hello,

I have a customer who uses Lightspeed as an MDM for ipads with PSK. The lighspeed can not be intergrated with ISE and does not have option to generate certificates. The customer wants to use certificates instead for PSK as it is consider more secure.

So the question is: What would be the best and most secure option to autheticate the devices in this case ? I have to generate indentity certificate n ISE, upload it to MDM and push it to alle devices then I was thinking to maybe utilize rules on ISE for authorization with EAP-TLS and in addition to that get them registered via byod portal ( link bellow) and then use an extra check " device registered yes".

https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

I can download all mac addresses from MDM and use it as extra protection in rules.

What security experts would recomend ?

Re: Same certificate for all devices vs PSK or IPSK ?

Jason Kunst — Mon, 17 Jun 2019 12:17:06 GMT

A couple holes here, provided I have all the information? You didn’t say the type of devices and why you’re talking only about PSK?

If the MDM doesn’t integrate with or distribute certificates then it has no relevance to be able to integrate or provide any useful authentication

A list of Mac addresses is not secure

If these are windows android Apple devices then the recommendation is to use BYOD flow with certificates. This is EAP-TLS

Otherwise there is no solution for PSK and certificate based authentication with Ise as PSK doesn’t really setup any secure authentication with AAA besides MAB And a key exchange for the controller to use

Did you see this article?

https://community.cisco.com/t5/security-documents/cisco-ise-amp-wlc-wpa2-psk-wlan-per-device-passphrase-ipsk/ta-p/3644425

Re: Same certificate for all devices vs PSK or IPSK ?

piotrPaszk — Mon, 17 Jun 2019 13:15:54 GMT

Thanks Jason for the answer 🙂

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

If thats a case so the only option I see is to use IPSK until they get a proper MDM ?

Re: Same certificate for all devices vs PSK or IPSK ?

Jason Kunst — Mon, 17 Jun 2019 14:18:43 GMT

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

If thats a case so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS. the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

Re: Same certificate for all devices vs PSK or IPSK ?

piotrPaszk — Tue, 18 Jun 2019 11:59:26 GMT

Thank for all the tips 🙂 You open my eyes for many aspects

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

## Those devices were provisioned for MDM by dedicated teachers as It maybe difficult for 7 years old kid to do it.

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

##True 🙂

If thats a case so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS. the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

##This would not be most optimal solution in this case.

What do think about just simply using PEAP with profiling or identity groups ?

Re: Same certificate for all devices vs PSK or IPSK ?

Jason Kunst — Tue, 18 Jun 2019 13:09:06 GMT

Sounds like PEAP will have to do then.
Teachers will need to enter the credentials. Maybe special credentials just for iPad access?

You can manually put them into special endpoint groups for access controls or dynamically do this with profiling and device sensor if you know only iPads used by this group of people

Re: Same certificate for all devices vs PSK or IPSK ?

piotrPaszk — Thu, 20 Jun 2019 08:01:57 GMT

Thats the way to go I suppose. Thanks a lot for help my friend 🙂