topic Re: mschap v2 in Network Access Control

mschap v2

bluesea2010 — Fri, 15 Jul 2022 10:24:36 GMT

Hi,

I have the following coprporate clients , windows and ios ,I want to avoid mschap v2 , what is the alternative

and byod clients are windows ios and android

Thanks

Re: mschap v2

Rob Ingram — Fri, 15 Jul 2022 10:33:19 GMT

@bluesea2010 for corporate devices use certificates (EAP-TLS) issued by an internal Cetificate Authority via Group Policies.

For BYOD devices usually you'd use the ISE internal CA.

Re: mschap v2

bluesea2010 — Fri, 15 Jul 2022 10:47:59 GMT

Hi,

So the alternative of mschapv2 is only eap-tls

If I use ise internal ca for byod , how I can i deploy these certificate in BYOD devices

Thanks

Re: mschap v2

Rob Ingram — Fri, 15 Jul 2022 11:12:11 GMT

@bluesea2010 you can use the BYOD portal to enroll for certificates on the BYOD devices. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-694972267

Re: mschap v2

bluesea2010 — Fri, 15 Jul 2022 15:19:23 GMT

Hi @Rob Ingram

I have only base license , does it require profiling

Thanks

Re: mschap v2

Rob Ingram — Fri, 15 Jul 2022 16:00:20 GMT

Hi @bluesea2010 you would need Plus licensing if you use BYOD.
Profiling is not a requirement for BYOD or using certificates for 802.1x authentication if that was your question.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/m_ise_man_license.html

Re: mschap v2

bluesea2010 — Fri, 15 Jul 2022 16:30:21 GMT

Hi,

I could see that BYOD need plus licensing , but in my case I have only base license .

In that case what will I miss in terms of BYOD . (Currently non corporate devices are connecting to the corporate wifi , Can I call this as byod ? )

Thanks

Re: mschap v2

ahollifield — Fri, 15 Jul 2022 16:48:48 GMT

Yes, this is precisely the use-case for BYOD.

Re: mschap v2

bluesea2010 — Fri, 15 Jul 2022 17:13:14 GMT

Hi ,

My question why byod need plus licensing , I have only base license but still I am allowing non corporate device. I mean still users can connect their personal devices using dot1x (peap mschapv2)

Thanks

Re: mschap v2

ahollifield — Fri, 15 Jul 2022 17:47:45 GMT

If you want to use BYOD, ISE requires Plus/Advantage licensing per endpoint.

Re: mschap v2

bluesea2010 — Sat, 16 Jul 2022 04:36:32 GMT

Hi @ahollifield

Sorry I could not make clear my question , sorry for my english . , I don't have plus licenses but still users can connect to the wifi using dot1x peap mschapv2 . Since users can connect their personal devices using base license , why do we need plus license

Thanks

Re: mschap v2

Rob Ingram — Sat, 16 Jul 2022 15:59:08 GMT

@bluesea2010 yes the users could just enter their username/password (mschapv2) but that's considered insecure.

For a BYOD environment you can onboard the end users personal endpoints via the ISE BYOD portal and provision a CA signed endpoint certificate as well as configure the network interface and OS native supplicant to utilise this certificate for network access. This functionality requires an ISE Plus license.