Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
6
Helpful
3
Replies

Android, Ipad authentication under windows domain environment

descalante2007
Level 1
Level 1

‎02-06-2014 03:09 PM - edited ‎03-10-2019 09:21 PM

I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.

I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.

Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.

Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.

How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.

I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?

The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?

As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?

I hope you can help me to clarify my doubts.

Regards.

Daniel Escalante

Labels:
0 Helpful
3 Replies 3

blenka
Level 3
Level 3

‎02-07-2014 04:43 PM

ISE Case: SR 6628070423 Android Proviosning does not apply certificate axians

See the demo video Android End User Experience

around 02:32 to 02:47 showing the client identity certificate installing process.

Please continue working with TAC and ESC, who would further feedback to the product teams when needed.

George Stefanick
VIP Alumni
VIP Alumni
In response to blenka

‎02-07-2014 05:05 PM

Do you have a link to this video ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents