topic Connection for corporate ssid for non domain devices in Wireless

Connection for corporate ssid for non domain devices

jain.manish94 — Tue, 22 Mar 2022 12:39:55 GMT

how we can add an exception to ISE when a tablet(not domain joined) could access corporate WIFI? Using eap peap.

This is very urgent for me if anyone can send me setup

Re: Connection for corporate ssid for non domain devices

balaji.bandi — Tue, 22 Mar 2022 14:30:28 GMT

how is your authentication, in this case you need to do MAB Authentication.

Re: Connection for corporate ssid for non domain devices

jain.manish94 — Tue, 22 Mar 2022 14:33:38 GMT

Plz tell me anyone which i can implement easily

Re: Connection for corporate ssid for non domain devices

jain.manish94 — Tue, 22 Mar 2022 14:48:34 GMT

We want to use Samsung tablet, iPhone, TV with that corporate SSID plz suggest any good configuration. I heard about BYOD but don know the concept.

Can we this this BYOD for all non domain devices ?

Re: Connection for corporate ssid for non domain devices

balaji.bandi — Tue, 22 Mar 2022 15:11:43 GMT

not sure what WLC and what Radius you using : here is latest Cat9800 controller config :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

If you looking webauth :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Re: Connection for corporate ssid for non domain devices

jain.manish94 — Tue, 22 Mar 2022 15:14:21 GMT

If I talk about wlc using legacy devices 4400 wlc with 7.2 or 7.0 version.

Radius i am using Cisco ise with 3.0 version.

Now plz let me know what options are available to complete the setup

Re: Connection for corporate ssid for non domain devices

balaji.bandi — Tue, 22 Mar 2022 15:57:56 GMT

7.2 is too old for me, but the above mentioned URL still valid for you to deploy and test it.

(if you are not sure, then we suggest to hire a consultant who can integrate for you)

Re: Connection for corporate ssid for non domain devices

jain.manish94 — Wed, 23 Mar 2022 09:41:37 GMT

My corporate laptop is using one corporate SSID. Using eap peap

Can I make any policy over Cisco ise to allow some non domain device mac address who want to connect our this corporate SSID?

Any other option plz let me know.

Corp SSID for domain joined devices and for non domain devices both

jain.manish94 — Thu, 24 Mar 2022 14:18:02 GMT

Hello Team,

I am using single said corporate SSID for corporate device which has been joining domain and using eap peap. With same SSID i want to connect some samsung tablet which are not domain joined devices.here i am thinking below steps could you plz help me if i am thinking correct or not.

_---------------------------

if you have a domain joined laptop with AD user.

Laptop tries to join corp SSID.

WLC send the request to ISE to check

ISE checks that the laptop is domain joined perfect

then ISE checks if the AD user is valid

then ISE authenticate the user and he has access to the internal network + internet

correct?

-------------------------

now you have a tablet which is not domain joined but has AD user

tablet tries to join corp SSID

WLC send the request to ISE to check

ISE checks that the laptop is not domain joined and not allow the access to internal network + internet

correct?

-----------------------------------------------------

and now, you add OR Condition to ISE where it checks if the device is domain join

condition will be:

Is device domain joined or is device mac address from the list?

Yes - allow, no- deny

ow you have a tablet which is not domain joined but has AD user

tablet tries to join corp SSID

WLC send the request to ISE to check

ISE checks that the tab is not domain joined, but the MAC address is on the list -> allow

then ISE checks if the AD user is valid

then ISE authenticate the user and he has access to the internal network + internet.

-----------------------------

-----------------------------------------------------------------
over the wlc i have configured [WPA2][Auth(802.1X)] for the corp ssid.

----------------------

if my understanding is correct

because here i am using same corp ssid for both devices which are domain joined and some are not domain joined but making some policy over the cisco ISE for mac addressess

Re: Corp SSID for domain joined devices and for non domain devices bot

Haydn Andrews — Thu, 24 Mar 2022 23:53:22 GMT

unless you are using AnyConnect or EAP-TEAP your not going to be able to check both machine and user credentials. As you need eap chaining to do two different authentications.

Would suggest:

EAP-TLS (User certificates deployed via Group Policy to laptops) - these get corp access

EAP-PEAP (users with the BYOD user group) get access to BYOD

You could potentially look at other RADIUS attributes that a corporate device provides and see if one of them is able to be used in the policy, but i havent seen that work well before