Solved: Doubt about 802.1x Implementation?

GustavoSepulvedaChapa · ‎08-02-2017

Hello, im about to implement a whole infrastructure using just 802.1x, since its a company that use mostly wireless endpoints including (tablets, cellphones, Windows and Mac) its a little confusing to know how to start.

i have begun using MAB only, to populate the internal database, and i want to enforce it to use 802.1x through the WLC.

I have connected AD with ISE to retrieve the groups, so i made some internal tests working with the wlc and ise authenticating using AD credentials and in an Iphone 6s it worked as desired. Using an Iphone 6 didnt work using some other credentials of a user belonging in the same identity source group. Using an android also worked, so i need to make sure that it has to work no matter what.

What do you guys recommend me? The company doesnt want to use EAP-TLS since they dont want to enroll the certificate in each Endpoint and they want to be as transparent as it could be. ( I was thinking in implementing CWA, but since this includes certificate enrolling, this is not an option anymore)

Also the problem is that the OS are very different from each other.

So what do you think?

Arne Bier · ‎08-03-2017

What exactly was the problem when you used the iPhone 6? Do you have ISE logs? Is the iOS version different? EAP-PEAP is pretty universal these days.

Regarding the client supplicants trusting the ISE server: Does your ISE server use a public cert for EAP Role, or do you use self-signed (or corporate PKI cert)? Using a non-public cert is usually the case and will throw a security warning on most devices that one should be able to override (unless the phone is configured to act otherwise).

I have also seen cases where the customer created an ISE cert for EAP role, that wasn't RSA 2048 - they tried to get all fancy and used RSASSA-PSS algorithm. I caused older Apple devices to not connect ( Certificates with the RSASSA-PSS Signing Algoritm |Official Apple Support Communities ) - workaround there was to upgrade their OS's. But in general, I would try stay away from those things and keep it generic (RSA 2048, SHA256)

View solution in original post

Arne Bier · ‎08-03-2017

What exactly was the problem when you used the iPhone 6? Do you have ISE logs? Is the iOS version different? EAP-PEAP is pretty universal these days.

Regarding the client supplicants trusting the ISE server: Does your ISE server use a public cert for EAP Role, or do you use self-signed (or corporate PKI cert)? Using a non-public cert is usually the case and will throw a security warning on most devices that one should be able to override (unless the phone is configured to act otherwise).

I have also seen cases where the customer created an ISE cert for EAP role, that wasn't RSA 2048 - they tried to get all fancy and used RSASSA-PSS algorithm. I caused older Apple devices to not connect ( Certificates with the RSASSA-PSS Signing Algoritm |Official Apple Support Communities ) - workaround there was to upgrade their OS's. But in general, I would try stay away from those things and keep it generic (RSA 2048, SHA256)

GustavoSepulvedaChapa · ‎08-03-2017

Hello!

We used a pki corporate cert and in the radius logs, it just appeared as could not because of the authorization policy, then i opened the report and it showed a problem with the ssl/tls config.

Besides this, dealing with a lot of Byod most of them non windows devices, wouldnt it be better to use a MDM platform?

To make better posture and profiling policies probably?

Descarga Outlook para iOS