cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1198
Views
0
Helpful
7
Replies

ISE Corp User Internet access static authentication

Deepak Ambotkar
Level 1
Level 1

Hello Gents,

I have a quick question on the type of authentication I can use for CORP users that want to access Internet & some internal applications on their Android type devices and they do not need to re-authenticate when they move between sites connecting to the same SSID when they movie across sites.

The setup looks like below:-

USER (needs static auth to move between sites )--> SSID (common for all sites)--> WLC--> ISE 

Please can you suggest the best way of authentication for android type users with similar username/password when they move across sites.

Thanks,

D

2 Accepted Solutions

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

you have 2 choices:

- users connect on SSID by using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices and they'll be able to reconnect without re-authenticating.

- do BYOD, that means you force, at the first connection, users to enroll a certificate. More secure solution. In reality, they will authenticate the 1st time with their AD/LDAP credentials and before getting any access, they will be popup to a web portal to enroll their devices.

the 1st solution requires only base licenses and 2nd requires PLUS licenses. Base license, you buy them once that's it. For Plus, it's renewal based (1y, 3y, and i think 5 year as well).

on all deployments I'm doing today, companies prefer using certificates versus user/password and the certificate server is ISE. In that case, you are not related to systems guys and if something is compromised, you can manage certificate revokation directly on ise instead of asking someone from system to deactivate the user account on AD.

hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Hi

It's up to you how you want to manage, i mean:

- You can generate the certificate on the fly from ise, and create a rule that will check certificate and/or some MDM attributes to insure the device has not been compromised.

- OR you can provision the certificate through MDM and then on ISE, just a simple authentication process by checking certificate and/or some MDM attributes to insure the device has not been compromised.

If you proceed with certificate enrollment on the fly from ISE, then you'll need an ACL to block traffic except ISE. If you provision certificates from MDM, acl is needed only to block traffic if you want.

For what you need, you are right.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

Hi

you have 2 choices:

- users connect on SSID by using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices and they'll be able to reconnect without re-authenticating.

- do BYOD, that means you force, at the first connection, users to enroll a certificate. More secure solution. In reality, they will authenticate the 1st time with their AD/LDAP credentials and before getting any access, they will be popup to a web portal to enroll their devices.

the 1st solution requires only base licenses and 2nd requires PLUS licenses. Base license, you buy them once that's it. For Plus, it's renewal based (1y, 3y, and i think 5 year as well).

on all deployments I'm doing today, companies prefer using certificates versus user/password and the certificate server is ISE. In that case, you are not related to systems guys and if something is compromised, you can manage certificate revokation directly on ise instead of asking someone from system to deactivate the user account on AD.

hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Deepak Ambotkar
Level 1
Level 1

Hi Supportlan,

Thank you for the details, that really helps to understand. 

We have plus license and I will go with 2nd option.

Could you also let me know if clients such as android & i phone can recognize the certificates generated locally on the ISE and also in the case if I need to integrate the MDM (airwatch) , who will issue the certificates ISE or MDM server?

And does MDM have to have synchronized with Active directory in that case?

Thanks a lot,

Deepak

Hi

Android will recognize the certificate from ISE. For IOS it's more better because ISE will send a IOS profile. 

If you want to check that devices are compliant based on your mdm policies, tgen you will need APEX (renewal licenses) licenses to integrate ISE with MDM. 

Hope this is clear 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

Yes, we will have apex licenses as well. So if I use MDM, then will the certificate and profiles be loaded from MDM instead of ISE?

Also the phones are company owned android however they are pretty much for few internal applications and rest internet access so can I use BYOD onboarding process for them while integrating with MDM ?

For this solution as far as I know I will need:-

1) WLC ACL entries

2) WLAN ID & Value

3) MDM integration details

I have image, apex, plus , base license and VM created.

Is anything else missing?

Please let me know.

Thanks,

Deepak

Hi

It's up to you how you want to manage, i mean:

- You can generate the certificate on the fly from ise, and create a rule that will check certificate and/or some MDM attributes to insure the device has not been compromised.

- OR you can provision the certificate through MDM and then on ISE, just a simple authentication process by checking certificate and/or some MDM attributes to insure the device has not been compromised.

If you proceed with certificate enrollment on the fly from ISE, then you'll need an ACL to block traffic except ISE. If you provision certificates from MDM, acl is needed only to block traffic if you want.

For what you need, you are right.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks!

You're very welcome 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: