Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3249
Views
15
Helpful
4
Replies

Help with BYOD PEAP and Android certificate requirements

Go to solution
Mr. Bash
Level 1
Level 1

‎02-10-2021 08:19 AM

I'll try to explain our current setup briefly.  Our WLAN environment leverages Cisco WLC's, AP's and Cisco ISE 2.6.  Our BYOD users are local users in our ISE db, when they connect to our BYOD WLAN they merely have to enter in their PEAP [not PEAP-TLS] username and password and that's it, they get routed to the proper interface and out the firewall to the internet.  

 

I'm pushing to have BYOD devices on-boarded by ISE but that is not going to happen right away.  What we've come up against is that some Android devices actually can't connect anymore because they have a particular security patch that in affect disables PEAP because it doesn't allow you to connect to PEAP and NOT validate the server [ISE] certificate.

 

Our external PKI provider is Globalsign, one of the temporary work around solutions was to perhaps have our ISE environment receive a signed certificate from a Globalsign intermediate CA that is listed as one of the one's that are already in it's store.  

 

Essentially we're trying to temporary make sure android/ios devices can "trust" our ISE server because it's trusted by an intermediate CA that is built into the devices themselves.   Is this making sense and feasible?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-10-2021 09:17 AM

Hi,

Yes, what you said makes sense. You need to use CA signed certificate for
EAP in ISE for the endpoints to trust secure communication with ISE.
Otherwise it will fail.

The ultimate option is to use ISE internal CA capability with BYOD portal
in order to issue a certificate to each endpoint at enrollment which
eliminates the need for CA signed certificate. But as you said this is
quite far.

**** please remember to rate useful posts


View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-10-2021 09:17 AM

Hi,

Yes, what you said makes sense. You need to use CA signed certificate for
EAP in ISE for the endpoints to trust secure communication with ISE.
Otherwise it will fail.

The ultimate option is to use ISE internal CA capability with BYOD portal
in order to issue a certificate to each endpoint at enrollment which
eliminates the need for CA signed certificate. But as you said this is
quite far.

**** please remember to rate useful posts


Go to solution
ajc
Level 7
Level 7
In response to Mohammed al Baqari

‎02-10-2021 12:49 PM

Hi Mohammed,

 

I am facing the same issue and I already thought before reading this post about using the same ISE EAP Cert for both EAP-TLS and PEAP, the problem is that anyone with a public CA Certificate installed on the BYOD device could get access to our EAP-TLS subnet which currently uses our own CA signed certificate which was deployed on company owned devices.

 

Any documentation that you could suggest on using ISE Internal CA capability to issue certificate. I would like to take a look on that.

 

thanks

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to ajc

‎02-10-2021 06:39 PM

Hi,

This is very helpful guide covering internal ca in details.

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId--290221034

***** please remember to rate useful posts

Go to solution
ajc
Level 7
Level 7
In response to Mohammed al Baqari

‎02-11-2021 05:59 AM

Thanks for the information.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents