Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
3
Replies

BYOD VS Corporate device

Go to solution
Adam White
Level 1
Level 1

‎11-26-2018 03:27 AM

Howdy, 

 

I havent done an ISE deployment in a very long time, when thinking about it now, I have gotten myself stuck in a thought loop. 

 

When minimizing SSID's, so a single SSID for all users except guests to connect to, how or even why is there a differentiation between BYOD and a corporate owned device.

 

I have had a look, but cannot see a clear way that these are being distinguished. AD comes to mind, although so far all I can see is doing MAR which seems frowned upon for some of its issues. How else is AD checked? 

 

If certificates are rolled out, what would be the difference between a BYOD provisioned device using certs over a corporate machine using certs, its the same authentication

 

Do we care that its not a corporate device? If so, can we not just ensure posture anyways

 

Any thoughts or guidelines would be welcome

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Adam White

‎11-26-2018 05:18 AM

Telling the difference is all in how you put the certificates on the device.  The most common use case is mobile devices using MDMs.  When the corporate mobile devices are registered they can be pushed a cert using a template that puts OU=Coporate into the certificate.  When a BYOD device registers a template that puts OU=BYOD is used.  In ISE you can check the OU to determine what the device is and give it the correct access.

 

Another scenarios is let's say you want a single SSID that corporate devices get internal access and BYOD device get Internet access only.  I always push hard against BYOD devices getting direct internal access of any kind.  In this case you could have the corporate devices do cert based authentication and the BYOD do PEAP authentication.  The PEAP session get Internet access only.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-26-2018 04:09 AM

Real BYOD in my opinion involves onboarding any non corporate device with a certificate.  And this is where ISE can help you but this of course requires additional licensing (Plus).  It's not the only method - you might want to look at an MDM solution as well because these can also onboard devices and provide a better BYOD experience than ISE (e.g. seamless cert renewal, and application management on the device).  Then you can use ISE as a radius server and perform 802.1X

 

The difference between BYOD and Corp is probably debateable but in my opinion it comes down to whether the device is trusted or not. In theory the corp device was built by corp IT and all the best intentions in the world to secure the device with anti-malware etc.  It's now "trusted" to be ok on the network.  BYOD is not trusted because you have no idea what stuff is running on those devices.  For starters, you can put BYOD and Corp devices on separate VLANs and then use ACLs to restrict access.  Or if you have the stomach for it, enforce some posture on BYOD. I don't have any experience with this and I shudder to think how the end user feels about having this software on their BYO device.  Excuse my ignorance on the subject.

 

Whether you do cert based auth for Corp/BYOD, you can do all sorts of stuff with AD.  You can lookup the username form the cert's Subject field and check in AD/LDAP whether the user account is active or not, or whether the account is a member of an AD Group or not.  E.g. you might want to allow only a subset of your AD users to perform EAP-PEAP authentication.  These privileged users can then bring their own devices into the office and use their AD creds to access the network (and be placed in a separate VLAN). 

 

You can analyse many attributes of a certificate to decide whether it's a Corp or a BYOD cert (e.g. the cert Issuer is often used for that purpose)

 

There have been many posts written about this - or even books etc.  The latest book from Aaron Woland is probably a good one to read.

0 Helpful

Go to solution
Adam White
Level 1
Level 1
In response to Arne Bier

‎11-26-2018 04:26 AM

Thanks for the quick reply.
It kind of makes sense, but what if a client wants to use cert auth for everything.
I get that you can do different things with the cert fields, but if the users are using a single SSID deployment, how is it possible to distinguish a corporate device from a BYOD when issuing the cert and on boarding.
All you have are credentials, unless you profile somehow to differentiate and use this?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Adam White

‎11-26-2018 05:18 AM

Telling the difference is all in how you put the certificates on the device.  The most common use case is mobile devices using MDMs.  When the corporate mobile devices are registered they can be pushed a cert using a template that puts OU=Coporate into the certificate.  When a BYOD device registers a template that puts OU=BYOD is used.  In ISE you can check the OU to determine what the device is and give it the correct access.

 

Another scenarios is let's say you want a single SSID that corporate devices get internal access and BYOD device get Internet access only.  I always push hard against BYOD devices getting direct internal access of any kind.  In this case you could have the corporate devices do cert based authentication and the BYOD do PEAP authentication.  The PEAP session get Internet access only.

0 Helpful
Customers Also Viewed These Support Documents