Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
4
Replies

BYOD without certifcate

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎11-28-2018 06:38 AM - edited ‎11-28-2018 06:39 AM

Hi All

 

 

Is it possible to have a guest portal, which allows BYOD, but pushes a PSK and network settings instead of a certificate to the mobile device. We have a mix of mobile devices therefor we are a bit off using PKI, and all I want, is to associate a mobile device to a AD user account. Perhaps there's another solution? 

 

/Michael

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-28-2018 02:25 PM

Sounds like something an MDM would be good for.  If the idea is to use the simplest on-boarding method (i.e. open SSID which redirects to an Authentication Portal) then I would still wonder how this would work. You need some mechanism on the client to allow it to install things like wireless profiles.  And agent of some sort.  Apple has the OTA (Over The Air) tech built in for BYOD enrolment.  Android needs an app from the Play store.  And Microsoft needs to download and run an app. 

Maybe these guys have a solution for you? https://www.securew2.com/

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎11-29-2018 02:30 AM

It’s the other way around. Apple devices are easier to onboard as they use a built in in OTA (over the air) protocol to receive certificates and profiles. This is the most seamless way. It does however require that you have well known certificates in your ise deployment . Otherwise Apple doesn’t trust the onboarding process and there are extra steps that ruins the seamless flow

Like Arne said ise doesn’t push out PSK configurations. It only does PEAP or EAPTLS

If you’re wanting to simply associate a device to an AD account you could try doing psk and redirect to the NSP flow to simply register the MAC address so they can manage using the my devices portal


https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

Please do consider using certificate based authentication as this is more secure and gives more control of a device is lost or stolen

If you’re only provided internet access to these devices and don’t care much about security have you considered just using guest CWA with AD credentials on an open ssid? You could associate MAC address with AD portal user in this flow as well but there is no way to manage how many devices a user can have like the byod my devices portal since they are doing simple guest device registration

Thanks

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-28-2018 08:44 AM

Unfortunately, ISE does not support any other type of security other than WPA/WPA2 TLS and PEAP as of now.
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-28-2018 02:25 PM

Sounds like something an MDM would be good for.  If the idea is to use the simplest on-boarding method (i.e. open SSID which redirects to an Authentication Portal) then I would still wonder how this would work. You need some mechanism on the client to allow it to install things like wireless profiles.  And agent of some sort.  Apple has the OTA (Over The Air) tech built in for BYOD enrolment.  Android needs an app from the Play store.  And Microsoft needs to download and run an app. 

Maybe these guys have a solution for you? https://www.securew2.com/

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Arne Bier

‎11-28-2018 11:36 PM

Sounds like there's no easy way around this issue.

 

My impression is that Android BYOD works more smoothly, then Apple BYOD. What is your experience with Apple and BYOD, I know there's been some issue around this part of ISE?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Michael Bartholomæussen

‎11-29-2018 02:30 AM

It’s the other way around. Apple devices are easier to onboard as they use a built in in OTA (over the air) protocol to receive certificates and profiles. This is the most seamless way. It does however require that you have well known certificates in your ise deployment . Otherwise Apple doesn’t trust the onboarding process and there are extra steps that ruins the seamless flow

Like Arne said ise doesn’t push out PSK configurations. It only does PEAP or EAPTLS

If you’re wanting to simply associate a device to an AD account you could try doing psk and redirect to the NSP flow to simply register the MAC address so they can manage using the my devices portal


https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

Please do consider using certificate based authentication as this is more secure and gives more control of a device is lost or stolen

If you’re only provided internet access to these devices and don’t care much about security have you considered just using guest CWA with AD credentials on an open ssid? You could associate MAC address with AD portal user in this flow as well but there is no way to manage how many devices a user can have like the byod my devices portal since they are doing simple guest device registration

Thanks
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents