Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
4
Replies

BYOD Build

Go to solution
craiglebutt
Level 4
Level 4

‎12-07-2018 12:39 AM

Hi

 

Our customer wants BYOD.  We've setup 2 wlans, 1 for on boarding and 1 for BYOD Connectivity., this will give them full access to the internet with the same safeguards using the corporate web filtering.

The user has to be in a AD Secure Group to get access, using the BYOD portal page they log on and redirect takes them to the MDM solution.  This detects if Android or Apple, if Android tells you to go off to Play and download Mobiliron Client.

If Apple automatically pushes out BYOD labels to it.

Then when all the labels downloaded to the client, the end user has to force a connection to the BYOD Portal.

 

The customer doesn't want that, they want a 1 WLAN and simple to use solution, no manual setup of wlan on the device.  Issue is we don't want to have unlimited access to the internet to do this.

 

Have ISE 2.2 patch 9 and WLC currently on 8.0.152

 

How are other people doing this?

 

Cheers in advance

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-07-2018 07:41 AM

You need to use DNS based ACLS to open up the appropriate sites to download the needed apps.

You can have them connect to open SSID and then onboarded to EAP TLS secure SSID (DUAL SSID) or do single SSID PEAP>TLS

Please refer to the BYOD guide for more information.
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to craiglebutt

‎12-10-2018 05:41 AM

Ok it’s still not clear what the optimal flow is that the customer would like

If they want to do mdm but don’t want to deal with firewall rules etc then have them onboard via MDM on an open network before coming to the ise network

Or you can do a single ssid network where they enter credentials. Once connected you instruct them to onboard via enroll.cisco.com which requires them to go through byod and/or mdm. This redirection can also occur when they try to get to any internal resources. They must onboard to get further access. Now they don’t have to deal with any acl issues just allow them full internet

This is all in the byod guide I believe

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-07-2018 07:40 AM

Regarding "no manual setup of wlan on the device" Without manual setup of WLAN on client, how would the client know which SSID to connect to ? ISE will have to provision the certificates for the endpoints in your scenario and letting the device know which SSID to connect is something that cannot be avoided.

I did not understand the second part where you said you did not want to have unlimited access to the internet . If i understand correct, you are talking about the access after the BYOD authentication (based on your statement "We've setup 2 wlans, 1 for on boarding and 1 for BYOD Connectivity., this will give them full access to the internet with the same safeguards using the corporate web filtering.") which you can limit using Airspace ACLs.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-07-2018 07:41 AM

You need to use DNS based ACLS to open up the appropriate sites to download the needed apps.

You can have them connect to open SSID and then onboarded to EAP TLS secure SSID (DUAL SSID) or do single SSID PEAP>TLS

Please refer to the BYOD guide for more information.
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

0 Helpful

Go to solution
craiglebutt
Level 4
Level 4
In response to Jason Kunst

‎12-10-2018 02:16 AM

Cheers for replays.

 

We are using Mobileiron for the MDM, this managing the client side, the ISE is passing the authentication.

 

We are using the BYOD Portal for on-boarding using MAB, so no manual configuration to the Androids for network settings, the use just clicks on the SSID.

This point to our internal Mobileiron server which for apple uses the Over the Air install and for Android have to download the Mobileiron client same as have to for the NSA.

 

The Polices then are pushed out from Mobileiron to the client.  But then requires a manual selection of the 2nd SSID  which is using EAP-TLS

 

All DNS are done via our Firewalls, the google side no issue, but for Apple, this is a forever moving target to lock down to only access their Content Delivery.

 

The customer wants a simple solution, with out the users to have to manually configure the Wireless Client on their device.

 

Cheers

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to craiglebutt

‎12-10-2018 05:41 AM

Ok it’s still not clear what the optimal flow is that the customer would like

If they want to do mdm but don’t want to deal with firewall rules etc then have them onboard via MDM on an open network before coming to the ise network

Or you can do a single ssid network where they enter credentials. Once connected you instruct them to onboard via enroll.cisco.com which requires them to go through byod and/or mdm. This redirection can also occur when they try to get to any internal resources. They must onboard to get further access. Now they don’t have to deal with any acl issues just allow them full internet

This is all in the byod guide I believe
0 Helpful
Customers Also Viewed These Support Documents