topic Re: BYOD Build in Network Access Control

BYOD Build

craiglebutt — Fri, 07 Dec 2018 08:39:16 GMT

Our customer wants BYOD. We've setup 2 wlans, 1 for on boarding and 1 for BYOD Connectivity., this will give them full access to the internet with the same safeguards using the corporate web filtering.

The user has to be in a AD Secure Group to get access, using the BYOD portal page they log on and redirect takes them to the MDM solution. This detects if Android or Apple, if Android tells you to go off to Play and download Mobiliron Client.

If Apple automatically pushes out BYOD labels to it.

Then when all the labels downloaded to the client, the end user has to force a connection to the BYOD Portal.

The customer doesn't want that, they want a 1 WLAN and simple to use solution, no manual setup of wlan on the device. Issue is we don't want to have unlimited access to the internet to do this.

Have ISE 2.2 patch 9 and WLC currently on 8.0.152

How are other people doing this?

Cheers in advance

Re: BYOD Build

Surendra — Fri, 07 Dec 2018 15:40:17 GMT

Regarding "no manual setup of wlan on the device" Without manual setup of WLAN on client, how would the client know which SSID to connect to ? ISE will have to provision the certificates for the endpoints in your scenario and letting the device know which SSID to connect is something that cannot be avoided.

I did not understand the second part where you said you did not want to have unlimited access to the internet . If i understand correct, you are talking about the access after the BYOD authentication (based on your statement "We've setup 2 wlans, 1 for on boarding and 1 for BYOD Connectivity., this will give them full access to the internet with the same safeguards using the corporate web filtering.") which you can limit using Airspace ACLs.

Re: BYOD Build

Jason Kunst — Fri, 07 Dec 2018 15:41:29 GMT

You need to use DNS based ACLS to open up the appropriate sites to download the needed apps.

You can have them connect to open SSID and then onboarded to EAP TLS secure SSID (DUAL SSID) or do single SSID PEAP>TLS

Please refer to the BYOD guide for more information.
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

Re: BYOD Build

craiglebutt — Mon, 10 Dec 2018 10:16:06 GMT

Cheers for replays.

We are using Mobileiron for the MDM, this managing the client side, the ISE is passing the authentication.

We are using the BYOD Portal for on-boarding using MAB, so no manual configuration to the Androids for network settings, the use just clicks on the SSID.

This point to our internal Mobileiron server which for apple uses the Over the Air install and for Android have to download the Mobileiron client same as have to for the NSA.

The Polices then are pushed out from Mobileiron to the client. But then requires a manual selection of the 2nd SSID which is using EAP-TLS

All DNS are done via our Firewalls, the google side no issue, but for Apple, this is a forever moving target to lock down to only access their Content Delivery.

The customer wants a simple solution, with out the users to have to manually configure the Wireless Client on their device.

Cheers

Re: BYOD Build

Jason Kunst — Mon, 10 Dec 2018 13:41:52 GMT

Ok it’s still not clear what the optimal flow is that the customer would like

If they want to do mdm but don’t want to deal with firewall rules etc then have them onboard via MDM on an open network before coming to the ise network

Or you can do a single ssid network where they enter credentials. Once connected you instruct them to onboard via enroll.cisco.com which requires them to go through byod and/or mdm. This redirection can also occur when they try to get to any internal resources. They must onboard to get further access. Now they don’t have to deal with any acl issues just allow them full internet

This is all in the byod guide I believe