Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
2
Helpful
4
Replies

ISE EAP-TLS Authentication over the internet

Go to solution
GFernandez07
Level 1
Level 1

‎10-20-2024 05:19 PM

Hi experts, 

I’m looking for advice on a scenario involving multiple retail stores. I want to implement EAP-TLS authentication for employee WiFi connections through Cisco ISE. Since these stores don’t have a VPN tunnel, I’m considering setting up an ISE PSN in the DMZ. This would allow the stores to communicate directly over the internet with the ISE node, which is part of our existing distributed deployment.

Are there any security concerns I should be aware of? Is this approach advisable?

Has anyone had experience with this type of setup? I’d appreciate any insights.

Thanks!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-20-2024 05:32 PM

I have not done it but it would entail setting up RADIUS DTLS connections between the wireless controller (or APs?) towards the ISE PSN node. That's as secure as any TLS style of communication can be over the internet.

Depending on the NAD, and if you have ISE 3.3+, you can also use IPsec to secure the RADIUS comms.. 

And then I guess block all non RADIUS comms (admin access (http and ssh)) from the internet to that PSN.

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎10-20-2024 05:32 PM

I have not done it but it would entail setting up RADIUS DTLS connections between the wireless controller (or APs?) towards the ISE PSN node. That's as secure as any TLS style of communication can be over the internet.

Depending on the NAD, and if you have ISE 3.3+, you can also use IPsec to secure the RADIUS comms.. 

And then I guess block all non RADIUS comms (admin access (http and ssh)) from the internet to that PSN.

Go to solution
Flavio Miranda
VIP
VIP

‎10-20-2024 05:45 PM - edited ‎10-20-2024 06:05 PM

@GFernandez07 

The Challenge I see on this scenario is the certificate provisioning. If you dont manage the end user device, It could be a problem provision and keep the certificate up to date. You need some kind of MDM which means,  you need to manage all devices 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Flavio Miranda

‎10-20-2024 05:53 PM

End client certificate provisioning is problem regardless of how the NAD talks to the RADIUS server.  I thought the focus of the question was more about the RADIUS comms between WLC and PSN. But Flavio, you are right, that's usually a bit of a hurdle for anyone, and the only easy solution is Group Policy for on-prem AD - if they don't have on-prem AD, then MDM would be next best thing.  @GFernandez07  How do you plan to provision your employee devices?  

Go to solution
GFernandez07
Level 1
Level 1

‎10-21-2024 09:10 AM

@Arne Bier , @Flavio,

Thank you both for the input. The plan is to manage the client devices using an MDM and to push the certs.

I will give this a try and see how it goes. That is if the security team allows it.

0 Helpful
Customers Also Viewed These Support Documents