Solved: Dual SSID BYOD with PEAP

vinmangal · ‎12-08-2018

Hello Cisco expert team,

I have built one WiFi test lab set-up with dual SSID to test smart phones on boarding , registration, certificate provisioning etc.

I am using two Cisco ISE ( as Admin, MnT and other one as PSN ) on version 2.3, patch 5 with EAP-TLS based authentication.

1st SSID - MAB based authentication for Authenticatio, Registration and cert download

2nd SSID- Dot1x based authentication for Phones registered on 1st SSID.

Now we want to change test lab Dual SSID BYOD set-up from EAP-TLS based process to PEAP and email based authentication where users do not have to to download certificates so that even Android 9 version phone can register too.

Please advise if there any guide pdf available to explain the flow how to make this change .

Jason Kunst · ‎12-08-2018

Make sure to run latest patch on your release. Should be at least 2.2 for long term support

Android 9 can do onboarding but it requires est have you looked at the article on that?

I don’t get the point to not use eap tls and still configure the supplicant. For android the process will still require downloading our native supplicant provisioning application

If you want straight PEAP just have them connect to that SSID and do byod without provisioning

Go to http://cs.co/ise-community
Go to deploy then byod section
There is a guide there on byod then another page
On that page look at the onboarding without supplicant and cert provisioning
Look at the article at the bottom as well under issues

View solution in original post

Surendra · ‎12-08-2018

May I know what you meant by email based authentication? And what is the problem with Android 9 devices with EAP-TLS?

vinmangal · ‎12-09-2018

Hi Surendra,

At present, Test lab ISE set-up is integrated with AD/LDAP for providing byod wi-fi services for end user.
We need to move it from AD/LDAP based authentication to email based authentication where user will register their phone using mail id and OTP pasword

EAP-TLS based authentication has following two problem
Android 9 phone mobile registration not working on current ISE infra with version 2.3, patch 5
Dependency on 3rd party SSL certificate to be used for Mobile registration

Jason Kunst · ‎12-08-2018

Make sure to run latest patch on your release. Should be at least 2.2 for long term support

Android 9 can do onboarding but it requires est have you looked at the article on that?

I don’t get the point to not use eap tls and still configure the supplicant. For android the process will still require downloading our native supplicant provisioning application

If you want straight PEAP just have them connect to that SSID and do byod without provisioning

Go to http://cs.co/ise-community
Go to deploy then byod section
There is a guide there on byod then another page
On that page look at the onboarding without supplicant and cert provisioning
Look at the article at the bottom as well under issues

vinmangal · ‎12-09-2018

Hi Jason,

Test lab ise set-up is on version 2.3 patch 5 on which Android 9 version are not supported for wi-fi byod.

Do you have any link which give work around suggests steps with snapshot on how to register Android 9 phones..?

Thanks for providing solutions.

Surendra · ‎12-09-2018

"We need to move it from AD/LDAP based authentication to email based authentication." - I still don't get it. There is no email based authentication that ISE can do.

"EAP-TLS based authentication" - I would like you to get it checked with TAC. I'm pretty sure they would be able to help you resolve those problems.

Jason Kunst · ‎12-09-2018

Links to byod page. At bottom there is registration page information workaround

Did you look through that and the other links I mentioned?