06-20-2016 06:48 AM - edited 03-10-2019 11:52 PM
Hello Gents,
I have a quick question on the type of authentication I can use for CORP users that want to access Internet & some internal applications on their Android type devices and they do not need to re-authenticate when they move between sites connecting to the same SSID when they movie across sites.
The setup looks like below:-
USER (needs static auth to move between sites )--> SSID (common for all sites)--> WLC--> ISE
Please can you suggest the best way of authentication for android type users with similar username/password when they move across sites.
Thanks,
D
Solved! Go to Solution.
06-21-2016 04:46 PM
Hi
you have 2 choices:
- users connect on SSID by using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices and they'll be able to reconnect without re-authenticating.
- do BYOD, that means you force, at the first connection, users to enroll a certificate. More secure solution. In reality, they will authenticate the 1st time with their AD/LDAP credentials and before getting any access, they will be popup to a web portal to enroll their devices.
the 1st solution requires only base licenses and 2nd requires PLUS licenses. Base license, you buy them once that's it. For Plus, it's renewal based (1y, 3y, and i think 5 year as well).
on all deployments I'm doing today, companies prefer using certificates versus user/password and the certificate server is ISE. In that case, you are not related to systems guys and if something is compromised, you can manage certificate revokation directly on ise instead of asking someone from system to deactivate the user account on AD.
hope this is clear.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 06:27 AM
Hi
It's up to you how you want to manage, i mean:
- You can generate the certificate on the fly from ise, and create a rule that will check certificate and/or some MDM attributes to insure the device has not been compromised.
- OR you can provision the certificate through MDM and then on ISE, just a simple authentication process by checking certificate and/or some MDM attributes to insure the device has not been compromised.
If you proceed with certificate enrollment on the fly from ISE, then you'll need an ACL to block traffic except ISE. If you provision certificates from MDM, acl is needed only to block traffic if you want.
For what you need, you are right.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-21-2016 04:46 PM
Hi
you have 2 choices:
- users connect on SSID by using their Active Directory/LDAP credentials. Once they connect, credentials are stored on their devices and they'll be able to reconnect without re-authenticating.
- do BYOD, that means you force, at the first connection, users to enroll a certificate. More secure solution. In reality, they will authenticate the 1st time with their AD/LDAP credentials and before getting any access, they will be popup to a web portal to enroll their devices.
the 1st solution requires only base licenses and 2nd requires PLUS licenses. Base license, you buy them once that's it. For Plus, it's renewal based (1y, 3y, and i think 5 year as well).
on all deployments I'm doing today, companies prefer using certificates versus user/password and the certificate server is ISE. In that case, you are not related to systems guys and if something is compromised, you can manage certificate revokation directly on ise instead of asking someone from system to deactivate the user account on AD.
hope this is clear.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 01:35 AM
Hi Supportlan,
Thank you for the details, that really helps to understand.
We have plus license and I will go with 2nd option.
Could you also let me know if clients such as android & i phone can recognize the certificates generated locally on the ISE and also in the case if I need to integrate the MDM (airwatch) , who will issue the certificates ISE or MDM server?
And does MDM have to have synchronized with Active directory in that case?
Thanks a lot,
Deepak
06-22-2016 04:57 AM
Hi
Android will recognize the certificate from ISE. For IOS it's more better because ISE will send a IOS profile.
If you want to check that devices are compliant based on your mdm policies, tgen you will need APEX (renewal licenses) licenses to integrate ISE with MDM.
Hope this is clear
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 05:55 AM
Hi,
Yes, we will have apex licenses as well. So if I use MDM, then will the certificate and profiles be loaded from MDM instead of ISE?
Also the phones are company owned android however they are pretty much for few internal applications and rest internet access so can I use BYOD onboarding process for them while integrating with MDM ?
For this solution as far as I know I will need:-
1) WLC ACL entries
2) WLAN ID & Value
3) MDM integration details
I have image, apex, plus , base license and VM created.
Is anything else missing?
Please let me know.
Thanks,
Deepak
06-22-2016 06:27 AM
Hi
It's up to you how you want to manage, i mean:
- You can generate the certificate on the fly from ise, and create a rule that will check certificate and/or some MDM attributes to insure the device has not been compromised.
- OR you can provision the certificate through MDM and then on ISE, just a simple authentication process by checking certificate and/or some MDM attributes to insure the device has not been compromised.
If you proceed with certificate enrollment on the fly from ISE, then you'll need an ACL to block traffic except ISE. If you provision certificates from MDM, acl is needed only to block traffic if you want.
For what you need, you are right.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 06:32 AM
Thanks!
06-22-2016 10:03 AM
You're very welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide