Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
6
Replies

Same certificate for all devices vs PSK or IPSK ?

Go to solution
piotrPaszk
Level 1
Level 1

‎06-17-2019 04:32 AM - edited ‎06-17-2019 04:53 AM

Hello,


I have a customer who uses Lightspeed as an MDM for ipads with PSK. The lighspeed can not be intergrated with ISE and does not have option to generate certificates. The customer wants to use certificates instead for PSK as it is consider more secure.

So the question is: What would be the best and most secure option to autheticate the devices in this case ? I have to generate indentity certificate n ISE, upload it to MDM and push it to alle devices then I was thinking to maybe utilize rules on ISE for authorization with EAP-TLS and in addition to that get them registered via byod portal ( link bellow) and then use an extra check " device registered yes".

 

https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

 

or

 

I can download all mac addresses from MDM and use it as extra protection in rules. 

 

What security experts would recomend ?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎06-17-2019 07:18 AM

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

 

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎06-18-2019 06:09 AM

Sounds like PEAP will have to do then.
Teachers will need to enter the credentials. Maybe special credentials just for iPad access?

You can manually put them into special endpoint groups for access controls or dynamically do this with profiling and device sensor if you know only iPads used by this group of people

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-17-2019 05:17 AM

A couple holes here, provided I have all the information? You didn’t say the type of devices and why you’re talking only about PSK?

If the MDM doesn’t integrate with or distribute certificates then it has no relevance to be able to integrate or provide any useful authentication

A list of Mac addresses is not secure

If these are windows android Apple devices then the recommendation is to use BYOD flow with certificates. This is EAP-TLS

Otherwise there is no solution for PSK and certificate based authentication with Ise as PSK doesn’t really setup any secure authentication with AAA besides MAB And a key exchange for the controller to use

Did you see this article?

https://community.cisco.com/t5/security-documents/cisco-ise-amp-wlc-wpa2-psk-wlan-per-device-passphrase-ipsk/ta-p/3644425


0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Jason Kunst

‎06-17-2019 06:15 AM

Thanks Jason for the answer :)

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎06-17-2019 07:18 AM

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

 

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Jason Kunst

‎06-18-2019 04:59 AM

Thank for all the tips :) You open my eyes for many aspects

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

## Those devices were provisioned for MDM by dedicated teachers as It maybe difficult for 7 years old kid to do it. 

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

##True :)

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

 

##This would not be most optimal solution in this case.

 

What do think about just simply using PEAP with profiling or identity groups ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to piotrPaszk

‎06-18-2019 06:09 AM

Sounds like PEAP will have to do then.
Teachers will need to enter the credentials. Maybe special credentials just for iPad access?

You can manually put them into special endpoint groups for access controls or dynamically do this with profiling and device sensor if you know only iPads used by this group of people
0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Jason Kunst

‎06-20-2019 01:01 AM

Thats the way to go I suppose.  Thanks a lot for help my friend :)

0 Helpful
Customers Also Viewed These Support Documents