Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
1
Helpful
4
Replies

byod

bluesea2010
Level 5
Level 5

‎03-25-2024 02:44 AM

Hi,

Is it common to implement EAP-TLS instead of PEAP? I'm considering EAP-TLS for certificate-based user authentication for BYOD users. What are the advantages and disadvantages, and what are the typical practices?"

Thanks

 

0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎03-25-2024 02:50 AM

@bluesea2010 yes it's common to use EAP-TLS in a BYOD environment, when using ISE it's typically recommended to use certificates over username/password for better security and manageability.

ISE has a built-in CA which can provision certificates to the BYOD devices.

ISE BYOD guide: https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-2093653871

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎03-25-2024 02:09 PM

EAP-TLS provides more security compared to PEAP by using the corporate certificate for authentication. Think about a scenario where someone gets hold of your AD credentials and use them somewhere else to authenticate to your network?! that scenario is not possible with EAP-TLS because for someone to get hold of your certificate it means they need to get hold of your laptop.

EAP-TLS will also allow the RADIUS server to check against the certificate issuer for any certificate that has been revoked, and accordingly deny the access to the network from client. Obv ISE in this case needs to be configured properly to leverage all these beauties of EAP-TLS.

Also, you might want to evaluate TEAP which is recommended over EAP-TLS. Within TEAP you can configure both user and machine certificates for authentication. The main difference between TEAP and EAP-TLS is that with TEAP you can chain the authentications of the user and machine, and if both passed the authentication you grant full access to the network, however, if only one of the two authentications passed you can then grant less access permissions to the network.

bluesea2010
Level 5
Level 5
In response to Aref Alsouqi

‎03-26-2024 01:48 AM

Hi , 

Thank you everyone for sharing the information. Now, could you please explain how BYOD users obtain and install the certificate?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to bluesea2010

‎03-26-2024 03:02 AM

@bluesea2010 its covered in the guide already provided above, but essentially the user goes through an onboarding process to get the certificate:-

"When the user connects to the secured SSID using username and password, the user’s endpoint does not have digital certificate, so the session will match ‘Employee_Onboarding’ policy rule which forces the endpoint to be onboarded. As the endpoint goes through onboarding flow, the endpoint MAC address is registered to ISE and the signed certificate is provisioned to the endpoint, at that point the endpoint will be forced to reauthenticate to the same SSID where the session will match ‘Employee_EAP-TLS’ policy rule and the endpoint gets PermitAccess permission"

There is also a Cisco video on BYOD https://www.youtube.com/watch?v=JMFPhNj_oYA

 

0 Helpful
Customers Also Viewed These Support Documents