Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
3
Replies

mobile Onboarding initial unsecure SSID certificate ?

Go to solution
mediaworksnz
Level 1
Level 1

‎01-23-2019 07:05 PM

Hello, a general question please regarding BYOD onboarding; when users first connect to the initial unsecure onboarding SSID, their BYOD devices will not trust the ISE certificate due it having been issued by our local CA. Understandable

Therefore is it best to purchase a public signed certificate and bind that to one of our company's public IP address and NAT that through to ISE ? That way the BYOD user devices will initially connect to a public IP with a trusted cert and no trust errors.

Or is it OK to tell users that they should just accept the initial onboarding certificate trust error they will receive ?

What do you guys do ?

Thanks kindly for any advice. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-23-2019 10:05 PM

You essentially answered your own question. You are best to use a well known public CA for certificates used on guests/BYOD. I have found that enterprise IT usually doesn't have direct communication to BYOD or guest users, so telling them to just accept it may not be possible. It will usually lead to people reporting problems with the onboarding.

Now you can add IP fields just like CN and SAN fields in certs, if you need clients to trust the IP, then this will work. Not sure exact on your specific set up with IP's and NAT and how it all flows, but so long as clients can connect, onboard, and it works without issue, then go for the new cert.

You can use the same certificate for guest/sponsor portals as well, and by default the same cert is applied to the default portal group. You can break these portal groups up, or just have a single public cert issued that covers all portal IP's, hostnames, and URLs.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-23-2019 10:05 PM

You essentially answered your own question. You are best to use a well known public CA for certificates used on guests/BYOD. I have found that enterprise IT usually doesn't have direct communication to BYOD or guest users, so telling them to just accept it may not be possible. It will usually lead to people reporting problems with the onboarding.

Now you can add IP fields just like CN and SAN fields in certs, if you need clients to trust the IP, then this will work. Not sure exact on your specific set up with IP's and NAT and how it all flows, but so long as clients can connect, onboard, and it works without issue, then go for the new cert.

You can use the same certificate for guest/sponsor portals as well, and by default the same cert is applied to the default portal group. You can break these portal groups up, or just have a single public cert issued that covers all portal IP's, hostnames, and URLs.
0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎01-23-2019 10:29 PM

You can use external CA to issue BYOD certificates using SCEP. explained here- https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html

or use ISE internal CA for BYOD provisioning.

Thanks,

Nidhi

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Nidhi

‎01-24-2019 11:19 AM

Check out http://cs.co/ise-byod
0 Helpful
Customers Also Viewed These Support Documents