I've tested right now with an android device and everything works fine.
My setup is ISE as subCA from a Windows Root CA.
I also tested in an environment with ISE as Root CA.

HI Francesco, many thanks for replying and clearing up publicly signed certs are not recommended.

 

My issue is that we have an SSID set up in Wifi that uses EAP-TLS (MSCHAPv2). the profile in ISE matches the airspace ID, and uses the MS Active directory account for AAA. However because the internal root ca cert does not exist on the devices then it will not connect unfortunatly,

 

The devices are not managed either, so I dont have a way to get the internally signed ROOT cert on the devices. and I wanted to make the user experience as slick as possible. which I why I thought about a public signed CA. so the full chain would exist.

 

You mentioned you have set this up, can you tell me did you need to put the Root CA on to the devices somehow? and if so how did you do this?

 

Many thanks

Martin

 

 

 

Hi

By configuring all the BYOD process, everything is done automatically. During the enrollment process, Android will download cisco network setup assistant and it will download everything.

Have you tried byod?

Did it worked?

As francesco indicated, it is explained why not public certs here.

 

https://depthsecurity.com/blog/when-802-1x-peap-eap-ttls-is-worse-than-no-wireless-security

 

Have you tested this solution extensively because from the reviews looks like it is not a good one.

 

https://play.google.com/store/apps/details?id=com.cisco.cpm.spw.android.wifisupplicant

 

 

Hi All,

 

 We have a BYOD portal setup already for guest wifi, with a very strict ACL. this works great,

 

 I should probably explain what I am trying to achieve. I have ISE Setup connected to my domain. I wanted to connect devices to the corporate SSID but the devices are not managed.some are Samsung, some Apple products and some Android. i dont want to have them register with a BYOD portal.

 

I am looking for the simplest method to authenticate them, and I was hoping to use a certifiacte. However I have issue with android not holding the certifcate, apple working on some IOS and not others. getting the Cert to the device is my issue.

 

I have an authentication profile that says, framed, 802.11, airspace of the SSID.

 

And then an authorisation profile to check the username is part of a security group in AD.

 

Problem is that the certifacte thing just makes it harder and some devices dont like it. I wish i could bypasss the cert and just use AD Credentials, do you know if this is possible with ISE?

 

Hope this makes sense

Thanks

Martin

Hi

Ok I understand better now your concern. However, when you're trying to connect to your corporate SSID, rules on ISE are granting access only if the device presents its certificate. To do so, right now, the only possible way is to enroll all devices manually, I mean:
- download root and subordinate CA
- Enroll the user certificate
- configure manually the wireless connection to use the certificate.

this can be done quite easily manually with android devices (samsung or others) but with iPhone, you'll need to build up a profile to send to users....

In other words, this is what the byod portal does.
the first answer to your question is that ISE can't do anything on that.

However, if you look at it in another way, you can build a new BYOD portal specially for corporate users. Doing that, you'll have the possibility to enable AD credentials login just to get access to the portal and then enroll the device and everything (every steps detailed before) will be done automatically.
In that case the answer is YES, ISE can do everything for you.

The other solution would be using an MDM (like Meraki that is free and works perfectly great with ISE). In that case, the answer is yes/no, that means ISE can do something if connected to a MDM. But MDM integration needs APEX licenses...

In conclusion, I'll keep saying that depending on how many devices we are talking about, creating a BYOD portal for your corporate SSID could be the simplest solution to provision all your different devices.

You can also create a Corp-Enroll SSID where authentication with AD is permitted only during enrolment phase and then switch those devices to the standard Corporate SSID when certificates are installed. In that way, you can ensure your security and setup a strict acl on this temp SSID. Or you can leverage the actual BYOD portal and based on authentication you can push the right NSP...