01-28-2014 03:57 AM - edited 03-10-2019 09:19 PM
Hi All,
All of the recommended design (single SSID, Dual SSID) for BYOD requires PKI infrastructure for providing the certificate for the employee's personal devices. I understand how this works.
But my question is, can't we have a BYOD solution without PKI? What if my current organization is not using PKI and wanted to have BYOD solution?
Why all the BYOD design documents talk about EAP-TLS as the authentication method for BYOD devices? Can't we have any other (non certificate based) authentication for BYOD?
I would appreciate if anyone can throw some light around this.
Thanks in advance.
Mohan
01-28-2014 11:21 AM
EAP-TLS is a strong authentication method requiring server and client-based X.509 certificates that also need PKI for certificate deployment. Another strong authentication method EAP-FAST does not require X.509 certificates for mutual authentication, instead Protected Access Credential (PAC) files are used. PAC files can be provisioned either manually or automatically. In this document, the PAC files are automatically provisioned from the ISE server to the client if the client does not contain as existing PAC file. Anonymous PAC provisioning uses EAP-TLS with a Diffe Hellman Key Agreement protocol to establish a secure TLS tunnel. In addition, MSCHAPv2 is used to authenticate the client and prevent early MITM attack detection. Authenticated In-Band PAC provisioning uses TLS server-side authentication, requiring server certificates for establishing the secure tunnel. Unauthenticated PAC provisioning does not require server side validation, and thus has some security risks, such as allowing rogue authentications to mount a dictionary attack. In this document the NAM configuration profile will be configured for unauthenticated PAC provisioning for testing purposes only.
07-31-2014 06:32 PM
How you would be differentiating a corporate device and Non corporate device? A machine cert right?How would you be issuing client cert ?
08-01-2014 12:37 PM
PKI is nice but not a must. As the previous two users mentioned, you can use other authentication methods. PEAP with MS-CHAPv2 would probably be the easiest one. Keep in mind though that EAP-TLS with digital certificates would be the most secure method. Thus, if you don't have a PKI environment then you can either wait for ISE v1.3 or look for a third party solution such as Symantec.
Thank you for rating helpful posts!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: