09-09-2017 12:02 AM - edited 02-21-2020 10:33 AM
Hi All,
Currently we have 2 certs in ISE, 1 signed by global sign for the portal, and another internally signed by our internal CA for EAP-TLS.
the issue I have is that the BYOD devices dont have the Internal CA root cert installed, therefore failing auth, Iphones give the option to trust but android and samsung dont.
Can you tell me would it be recommended to change EAP-TLS tick box from the internally signed cert to the public signed cert from global sign on the system cert page in ISE, therefore not needing the internally signed root CA being required on the devices.
Hope this make sense
Many thanks
Martin
09-09-2017 05:13 PM
09-09-2017 05:32 PM
09-11-2017 01:35 AM
HI Francesco, many thanks for replying and clearing up publicly signed certs are not recommended.
My issue is that we have an SSID set up in Wifi that uses EAP-TLS (MSCHAPv2). the profile in ISE matches the airspace ID, and uses the MS Active directory account for AAA. However because the internal root ca cert does not exist on the devices then it will not connect unfortunatly,
The devices are not managed either, so I dont have a way to get the internally signed ROOT cert on the devices. and I wanted to make the user experience as slick as possible. which I why I thought about a public signed CA. so the full chain would exist.
You mentioned you have set this up, can you tell me did you need to put the Root CA on to the devices somehow? and if so how did you do this?
Many thanks
Martin
09-11-2017 05:01 PM
09-15-2017 02:46 PM
09-15-2017 10:41 AM
As francesco indicated, it is explained why not public certs here.
https://depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security
09-15-2017 10:44 AM
Have you tested this solution extensively because from the reviews looks like it is not a good one.
https://play.google.com/store/apps/details?id=com.cisco.cpm.spw.android.wifisupplicant
09-17-2017 11:57 AM
Hi All,
We have a BYOD portal setup already for guest wifi, with a very strict ACL. this works great,
I should probably explain what I am trying to achieve. I have ISE Setup connected to my domain. I wanted to connect devices to the corporate SSID but the devices are not managed.some are Samsung, some Apple products and some Android. i dont want to have them register with a BYOD portal.
I am looking for the simplest method to authenticate them, and I was hoping to use a certifiacte. However I have issue with android not holding the certifcate, apple working on some IOS and not others. getting the Cert to the device is my issue.
I have an authentication profile that says, framed, 802.11, airspace of the SSID.
And then an authorisation profile to check the username is part of a security group in AD.
Problem is that the certifacte thing just makes it harder and some devices dont like it. I wish i could bypasss the cert and just use AD Credentials, do you know if this is possible with ISE?
Hope this makes sense
Thanks
Martin
09-17-2017 01:49 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide