Solved: ISE: Guest WIFI - non complicated way

AigarsKSYN · ‎05-23-2019

Hi All,

I am going about setting up guest and employee WIFI, which I am planning on running over the same SSID, as employee side just requires internet access to their mobile devices which we do not control nor would be able to push out our control due to backlash from business.

I configured SSID to use WPA2-Enterprise with "my Radius server", configured that it uses Cisco ISE Authentication and rest of settings as per config guidelines.

• Created Policy and used Wireless_802.1X as my condition.

• Authentication, Wireless_802.1X as my condition and to use All_AD_Join_Points with Reject, Reject, Drop

• Authorization: Wireless_802.1X as my condition, plus some other filters to pinpoint users or groups, and provided with Authorization profile which provides Access_Accept, specifies the VLAN and Airspace ACL name.

So connection to this work as expected, I can connect to SSID and provide AD account login details and would be granted access as per config.

And here is the undesired outcome, I get a prompt to accept the certificate, this certificate is of our internal CA as we use same cert for Computer 802.1x authentication.

This certificate is used EAP authentication under its Usage. There can not be two EAP authentication certificates.

What are the alternative options with getting public certificate but retain the simplicity of this AD user authentication against SSID and not getting untrusted certificate prompt.

Background on simplicity side, we do not have MDM available, so pushing certificates to employee phones is not an option. But in same time we have requirement that we can control which user is allowed on WIFI by using groups and AD user account status etc.

For guests, we require same thing, different user accounts for different geographical areas with option of changing password in the AD of full stop disabling account in AD case of security violations or other reasons.

Selected option of achieving this did not require any overhead on mobile devices as there is nothing more to do apart from providing username and password, no redirects, no registrations no profiles to be installed. And that fact that access is granted to the internet ports 80 and 443 only, there is no need to do any posture on this as well.

Please advise.

Jason Kunst · ‎05-23-2019

Putting a well-known certificate on your ISE server is required for security purposes. Its not recommend to use self-signed or internal certs that are unknown to your endpoints. Regardless of this some clients will still be promoted to initially trust that PSN certificate. Here are some discussions by various vendors as well on the subject:
https://community.cisco.com/t5/identity-services-engine-ise/eap-certificate-not-trusted-by-quot-some-quot-byod-devices/td-p/3470865
https://community.arubanetworks.com/t5/Security/iOS-quot-not-verified-quot-for-trusted-certificate/td-p/228121

The recommended option would be to place a wildcard in the SAN. So that when devices roam between RADIUS PSNs they will only be promoted the first time they have to trust the cert
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

View solution in original post

paul · ‎05-29-2019

Just a few comments on this thread.

I would advocate not using an WPA2 Enterprise SSID for this situation. You are setting yourself up for a world of pain (well maybe not you but the employees). Anytime you allow an employee to connect a mobile device to an SSID with AD credentials that device will store the credentials. Now their AD password changes and they forget they have their mobile devices using it to connect to an SSID that only gives them Internet access. Now their AD account is constantly getting locked out and frustration mounts.

Setup a standard open SSID with a portal. Allow the portal to accept AD credentials or regular guest credentials. When the employees log in their MAC address gets put into an Employee_BYOD endpoint identity group with a long purge time (30, 60, 90 days... whatever you want) and the guests would get mapped to guest endpoint identity groups that have shorter purge times (daily, weekly, etc.).

It is a simple setup. Employees are happy because they only have to see the guest portal once every purge cycle and there is no AD account remembered causing AD account locks.

View solution in original post

Jason Kunst · ‎05-23-2019

Putting a well-known certificate on your ISE server is required for security purposes. Its not recommend to use self-signed or internal certs that are unknown to your endpoints. Regardless of this some clients will still be promoted to initially trust that PSN certificate. Here are some discussions by various vendors as well on the subject:
https://community.cisco.com/t5/identity-services-engine-ise/eap-certificate-not-trusted-by-quot-some-quot-byod-devices/td-p/3470865
https://community.arubanetworks.com/t5/Security/iOS-quot-not-verified-quot-for-trusted-certificate/td-p/228121

The recommended option would be to place a wildcard in the SAN. So that when devices roam between RADIUS PSNs they will only be promoted the first time they have to trust the cert
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

AigarsKSYN · ‎05-23-2019

Thanks Jason,

Will give it a read.

Arne Bier · ‎05-23-2019

Hi @AigarsKSYN

I will say that I have seen this requirement for more than one EAP Server certificate a few times. Aruba Clearpass supports this and it makes sense for some complex scenarios. They can support multiple EAP "Services" and depending on which one processes the EAP request will determine which cert their radius server presents to the supplicant. Perhaps we need to submit a feature request one of these days.

Jason Kunst · ‎05-23-2019

Arne I don’t understand, it seems you’re mixing another requirement into it? I think the key issue is the very having to be manually
Trusted?

Arne Bier · ‎05-23-2019

Hi Jason

the original posting read

"This certificate is used EAP authentication under its Usage. There can not be two EAP authentication certificates.

What are the alternative options with getting public certificate but retain the simplicity of this AD user authentication against SSID and not getting untrusted certificate prompt."

I was responding to the first part mostly because I have seen this question a few times in Community forum. When we build ISE and we create the EAP System cert then we have to choose the CA Chain. And that can be an issue for some customers who want to present multiple ISE Server certs. I personally don't see this as an issue.

Horses for courses

AigarsKSYN · ‎05-24-2019

Thanks Arne and Jason,

I am going down the route of doing a configuration of EAP Authentication using wildcard public CA certificate.

Just a quick one for you both if you do not mind.

If I have two PSN nodes, would replacing EAP Authentication cert on one node syncs this over to the other node as well or I am safe doing testing in such way?

Also, regarding use of FQDN, I want to prep both PSN nodes for use of FQDN, can the CLI config of IP HOST be the same on both PSN nodes and relay on DNS round robin load balancing.

Command use: ip host IP_address host-alias FQDN-string

My Config:

PSN1 admin(config)# ip host 10.0.0.1 ise ise.domain.com

PSN2 admin(config)# ip host 10.0.0.2 ise ise.domain.com

Jason Kunst · ‎05-29-2019

Not sure what you're trying to accomplish here? Why not just use a wildcard in the SAN and have it work with any PSN IP and name?

AigarsKSYN · ‎05-29-2019

Hi Jason,

Sorry, must have been bit more clear, I am trying to update to the wildcard cert, however when production network is your only network and people work around the clock, I want to know how I can go about implementing certificate without affecting everyone or cause an outage.

That is why I was asking, if it is possible to update one of the PSC nodes and not have certificate propagate through to all PSN nodes, if it is not automatic process, then great, as I can take one PSNB, replace current cert with Wildcard, then perform test and switch this PSN to be used as primary and get that PSN's cert update as well and place them both in production.

Also, I guess I will need to update network profiles to trust new certs root CA

paul · ‎05-29-2019

Just a few comments on this thread.

I would advocate not using an WPA2 Enterprise SSID for this situation. You are setting yourself up for a world of pain (well maybe not you but the employees). Anytime you allow an employee to connect a mobile device to an SSID with AD credentials that device will store the credentials. Now their AD password changes and they forget they have their mobile devices using it to connect to an SSID that only gives them Internet access. Now their AD account is constantly getting locked out and frustration mounts.

Setup a standard open SSID with a portal. Allow the portal to accept AD credentials or regular guest credentials. When the employees log in their MAC address gets put into an Employee_BYOD endpoint identity group with a long purge time (30, 60, 90 days... whatever you want) and the guests would get mapped to guest endpoint identity groups that have shorter purge times (daily, weekly, etc.).

It is a simple setup. Employees are happy because they only have to see the guest portal once every purge cycle and there is no AD account remembered causing AD account locks.

AigarsKSYN · ‎05-30-2019

Thanks Paul,

Will take your advice.

Jason Kunst · ‎05-24-2019

Is this a duplicate thread? Just wondering. Perhaps you consolidated?

AigarsKSYN · ‎05-28-2019

Hi Jason,

It is not, I have not raised any threads on this subject.