topic Re: cert for machine+ guest access in Wireless

cert for machine+ guest access

satya mothukuri — Thu, 10 Mar 2022 07:15:49 GMT

Hello,

i am working on a solution to provide internet(only) to our Scanners Android based.

we have WLC 5520 and ISE for integration. My solution was to configure L2 auth with PSK, since its only internet as we are separating form our internal network (similar to guest WLAN solution)

But we are also working to find if there is any cert based auth on scanners. i dont want to connect these scanners to AD and access internal network.

Please help me with the traffic flow if there is any solution.

Regards,

Satya.Mothukuri

Re: cert for machine+ guest access

pieterh — Mon, 03 Dec 2018 07:58:00 GMT

is it an option to install a non-windows-based PKI?

Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT

be aware using certificates may have some impact on battery time.

depending on the implementation on the device type it may need more CPU processing and use more power from the battery

Re: cert for machine+ guest access

Ambuj M — Tue, 04 Dec 2018 01:00:19 GMT

you will have to first check if the scanners support certificate based authentication ?

Even if you did user/password (AD) based authentication, the scanners will never talk to AD directly, they will only talk to controller, controller will talk to ISE and ISE will talk to AD for identity verification.

you can choose to create a new AD group for scanners only and create a internet only authorization

Re: cert for machine+ guest access

satya mothukuri — Tue, 04 Dec 2018 01:30:52 GMT

Thanks for replying.
If the scanners support,Should I need to install the certificate in ISE???
Also any document on this will be much helpful.

Re: cert for machine+ guest access

Ambuj M — Tue, 04 Dec 2018 02:00:55 GMT

Yes you can, there are many guides for EAP-TLS deployment with ISE, here is a new one to get started.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

I would recommend building this in a test lab and do all testings.

Re: cert for machine+ guest access

Scott Fella — Tue, 04 Dec 2018 02:03:52 GMT

If the devices are internet only, why even bother using certs? Like the other poster mentioned, first you need to verify that the device can have certificates installed and that EQP-TLS is supported. If its Android, it should, but as long as its not locked down. How would you prevent exporting of the cert on the device to another device? Again, you might be complicating things since this is only internet access.