I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.
I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.
But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?
Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.
Any feedback is appreciated ..
p.s. I rate helpful post! LOL
Unfortunately there is nothing within an iPad or iPhone which we can leverage as a unique identifier between a corporate SOE iPad and a BYO iPad.
E.g with a workstation deployment we could setup posture assessment to lookup a particular reg key in a windows box,....so this doesn't help us with apple iOS.
With idevices we can only match on the particular information we obtain though profiling and/or authentication, so we have to make authentication the differentiator.
Though all of my deployments, the only way I have found so far, is for the client to have a MDM solution installed and also have an internal CA installed.
Client deploys company issued iPads with internal certificates thought their MDM solution.
I usually deploy 2x separate SSIDs, one for corporate users, one for BYO.
I anchor the BYO SSID to another WLC that is out on the DMZ and the client then limit internal connectivity though the firewall.
The corporate SSID performs cert auth and the BYO SSID performs peap auth, if their BYO users are setup in AD or leap.
My ISE authorization rules are setup to match the different WLAN SSID identifier numbers and the authorization sources of ad or ldap.
Cisco will be releasing new ways to profile devices, maybe we will be able to leverage something unique in the future.
Sent from Cisco Technical Support iPad App
Do you know if Cisco will do a iPad app(client) like Bradford?
Yes, like a NAC agent ...
I am thinking this could look more into the device.
We'll, I'm not 100% sure whats on the product path for ISE,
But I belive (and dont quote me) that the nac agent will eventually be programmed into the Anyconnect client.
So that the anyconnect client does both the 802.1x supplicant authentication and the posture assessment process.
Much like how anyconnect does it with ASA's and the host assessment process, if you have ever used this feature.
When this happens I can see a time where the NAC agent will become null and void.
Seeing Ipads and iphones have an anyconnect app out on the app store, we may see posture agent written into this app but with the limitied amout of exploits, trojans and virius which target the apple i
There is nothing we really want to check on an ipad or iphone IMHO, no registry, no usable file structure (unless its JB), no real antivirus products, so my question would be why would we want to prosture check an iDevice at this stage.
Windows smart devices on the otherhand may need checking,... eg the Asus tables run a full version of Win7,... I say you would want to put these devices though posture assessment, so just use the existing nac agent and treat them like any other laptop or pc.
a bit late to ask this question I know, but what kind of machine cert templates did you deploy to your IPADs? Are they user certs of machine certs?
I am trying to understand the best way to deploy certs to our IPADs for Certificate authentication for wireless and VPN using the ISE.
That was, as you say, we can distinguish between a coporate IPAD and a BYOD.
ForeScout sells an alternative NAC product to Cisco ISE. It works with or without 802.1x, so it is typically easier to implement than Cisco's product, and it does a better job of working with unknown/unmanaged devices that don't have 802.1x agents already setup. ForeScout has several methods to determine whether the iPad is corporate-owned or personal-owned:
More information about ForeScout's BYOD solutions are here: http://goo.gl/cQQMV
Thx for stopping by....
Yea, the best we will see is when ISE is integrated with a MDM. ISE can then check the MDM and see what is going on.
Does ISE work with ASA in authenticating the user via radius and then pushing a dACL to it? I'm 80% sure it does. Also, can we confirm that the anyconnect client doe not replace the NAC Agent? the anyconnect client has its own posture module, and it doesnt work with ISE in any way, as far as I know. Just checking.
I was under the impression that to leverage the dACL feature, the NAD had to support the radius feature CoA change of authorization.
I was informed that the ASA does not yet support CoA.
I think you can perform simple authentication, it's just the authorization thats a little grey.
Anyconnect does not replace NAC agent.... yet.
Anyconnect does have its own posture assessment built in, but only the ASA can leverage this with the host assessment feature. That is, its not yet working with ISE and iPEPs for posture, but it does work as a 802.1x suppliant for wired and wireless connections.
Hope this helps
Sent from Cisco Technical Support iPad App
ACS was able to push dACLs to ASA using AV way back when in 4.x days, so this hasn't changed though the CoA is not yet supported. CoA is only used in posture scenarios to move between compliant and non compliant. For just authorization after authen, a dACL can be assigned.
Sent from Cisco Technical Support iPhone App