Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
4
Replies

Cisco ISE License requirement

mohsayee
Cisco Employee
Cisco Employee

‎09-08-2019 11:52 PM

Hi, 

I have been working with a Customer, requirement as follows.

  1. Clear segregation of corporate and personal assets accessing network using wireless as the transport.
  2. Corporate assets require full network access
  3. Employee personal devices : Internet+ On-prem Projector wireless access ( elevated access)
  4. Guest users : Internet+ On-prem Projector wireless access ( elevated access)

Please help me in below queries:

1. Customer wants to have certificate based authentications and EAP chaining for laptops, iPAD, tablets. Cert repository for laptops is in Active Directory and for iPads/tablets is in MDM. I understand that for cert authentication and EAP chaining for laptops is not a challenge. In this case, how cert authentication and EAP chaining can be achieved for MDM managed devices.
2. BYOD and Guest services: Customer wants to manage guests and 'employees with personal devices' using hotspot or other guest flows. He doesn't want to use BYOD for employees. So would there be any challenges if they don't take PLUS license?
3. Mobile device's users directory is in cloud, Azure AD. Is that integration possible with ISE?

4. They are currently using MDM to manage and profile managed devices. If they do not integrate ISE with MDM, what are the advantages and disadvantages?
5. Intune MDM integration with ISE, is this supported?

 

0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎09-09-2019 03:41 AM

Please help me in below queries:

1. Customer wants to have certificate based authentications and EAP chaining for laptops, iPAD, tablets. Cert repository for laptops is in Active Directory and for iPads/tablets is in MDM. I understand that for cert authentication and EAP chaining for laptops is not a challenge. In this case, how cert authentication and EAP chaining can be achieved for MDM managed devices.

In the EAP framework, an Authenticating Server (ISE) performs authentication provided by the Supplicant (client device - e.g. MDM device or other). The client cert that is presented to ISE during EAP-TLS (most commonlly) is checked by ISE and ISE verifies that cert if the CA Cert Chain has been installed in ISE's Trusted Cert Store.  If the CA cert chain is not installed in ISE then ISE has no way of verifying the public key of the client cert.  This is the basic principle that all Authenticating Servers work on.  It doesn't matter who issued the certs (Your Corp's PKI, MDM, self-signed) -the only thing that matters is that ISE can validate the authenticity of the cert. 


2. BYOD and Guest services: Customer wants to manage guests and 'employees with personal devices' using hotspot or other guest flows. He doesn't want to use BYOD for employees. So would there be any challenges if they don't take PLUS license?

You need Plus License to enable ISE to issue client certs for BYOD. If you don't have Plus license then ISE cannot be used to issue certs.  ISE can either be a CA, or an intermediate and proxy the requests to another CA.  But let's say you don't have Plus license, then you can still authenticate clients who have a supplicant and client cert (certs issues by means other than ISE).


3. Mobile device's users directory is in cloud, Azure AD. Is that integration possible with ISE?

Nope. ISE does not have capability to use an external identity source in any public cloud.  You could use Secure LDAP but then it would not work for complex password validation techniques like CHAP and MS CHAP etc.  You could only do PAP and GTC.  If however you wanted to perform authentication only against an attribute in an EAP-TLS cert (e.g. look up the Subject Common Name from the cert in Azure over SLDAP, then that should work, since you are not doing any password checking).

 

 

4. They are currently using MDM to manage and profile managed devices. If they do not integrate ISE with MDM, what are the advantages and disadvantages?

Advantage: Don't need Plus License (well, it's a customer advantage from a cost perspective only)

Disadvantage: Unable to quarantine a client who is no longer compliant.


5. Intune MDM integration with ISE, is this supported?

Yes indeed.  There are integration Guides that you can search for with google. Requires ISE Plus license.

 

 

0 Helpful

mohsayee
Cisco Employee
Cisco Employee
In response to Arne Bier

‎09-09-2019 04:24 AM

Thanks Arne for the response.

1. I thought the only way cert authentication works is by creating a certificate profile in ISE then use cert attributes, e.g. common name, to verify and check with AD. Please correct me if my understanding is wrong. So if we don't integrate ISE with MDM and MDM is providing certs for managed devices and we have cert chain installed in ISE. Would that be enough to validate managed device's cert and authenticate/authorize them?

 

Additionally, could you please answer on EAP chaining part for MDM managed devices. I know that NAM is available only for windows. However, is there a work around to tackle this?

 

2. Guest/personal devices will not be having certificates. I am aware that guest authentication works without PLUS license. So same way if we wanna authenticate/authorize personal devices too, without BYOD, would that be okay?

 

0 Helpful

Arne Bier
VIP
VIP
In response to mohsayee

‎09-09-2019 02:50 PM

1. I thought the only way cert authentication works is by creating a certificate profile in ISE then use cert attributes, e.g. common name, to verify and check with AD. Please correct me if my understanding is wrong. So if we don't integrate ISE with MDM and MDM is providing certs for managed devices and we have cert chain installed in ISE. Would that be enough to validate managed device's cert and authenticate/authorize them?

By default, if you are doing EAP-TLS, then using the default Certificate profile will work. There is nothing special that the ISE user has to do to tell ISE how to check the authenticity of a cert. Every TLS connection to ISE goes through the same process.  ISE sends its EAP Cert to the Supplicant, and the Supplicant sends its client cert to ISE. ISE analyses that cert using the CA certs in its trust store.

You can go the next step from that, and look into the cert to make Authorization decisions. E.g. take the Subject Common Name from the cert and look it up in AD.  That is an optional thing but very commonly done.  You can also make various comparisons based on who issued the cert etc. All based on what you're trying to achieve.  Remember that the client cert is just like a drivers license.  You are the traffic cop. You get to ask for the license and then make your own judgements about whether the driver is legit or not.

And about MDM integration - you don't need MDM integration. You (the traffic cop == ISE) just check the validity of the certs that the MDM has dutifully put on your devices. You can put certs on devices in many different ways, and MDM is just one of those methods. ISE itself can also be a CA and this is called the BYOD Onboarding method (ISE can be the CA to issue certs, or it can be an issuing CA on behalf of your on-prem Windows CA, and it can also proxy requests to another platform entirely) - bottom line is - you don't need Plus license to perform EAP-TLS.

 

 

Additionally, could you please answer on EAP chaining part for MDM managed devices. I know that NAM is available only for windows. However, is there a work around to tackle this?

NAM is only required for Windows because Micrsoft is the only company that has come up with this concept of separating a machine auth and a user auth. It's a a security paradaigm that has worked very well for the Enterprise. MACOS doesn't use this as far as I know because there is no tight integration with Active Directory (as far as I know).I f I am wrong about this then I will let someone else comment.  On smart phones this is not even a topic because there is no concept of this either (no multi-user operating system).

 

2. Guest/personal devices will not be having certificates. I am aware that guest authentication works without PLUS license. So same way if we wanna authenticate/authorize personal devices too, without BYOD, would that be okay?

If personal devices do not have certs, then you must decide how you will authenticate them.  Common examples are to use a guest portal.  Every successful portal auth consumes one Base license. Other example might be to use EAP-PEAP and then let staff use a separate SSID (or same SSID) for personal devices and then restrict their access to the  internet or whatever scheme you like. Again - every successful auth consumes one Base license

 

Hope that helps :)

 

 

0 Helpful

mohsayee
Cisco Employee
Cisco Employee
In response to Arne Bier

‎09-09-2019 10:38 PM

Thanks Arne for the response and detailed Explanation.
0 Helpful
Customers Also Viewed These Support Documents