11-05-2015 01:04 PM - edited 03-10-2019 11:13 PM
Hi,
We would like to implement the following:
Corporate (not private) Tablet and mobile devices (Ipad, Android) can connect to corporate wireless SSID with certificate installed on it,
but without AD membership, so certificates exist only at PKI server. (of course the auth is based only certificate - TLS)
I know the BYOD is very same, but - as I understand - the final stage, after the CoA is a simple certificate based authentication from AD.
Is it possible to implement it without AD? The certificate provisioning is a Helpdesk task, not user controlled.
TIA
Attila
Solved! Go to Solution.
11-06-2015 02:53 PM
Sure, as long as your authorization rule doesn't try to match anything like an AD group, you should be fine with EAP-TLS with no AD integration.
11-10-2015 06:03 AM
you have to import the CA as a trusted cert.
When you create your Authz rule you should have some identifying info from that specific cert chain ie.CN ends with "mydomain.com"
Just make sure you correctly setup ISE to go and get the CRL from your CA server otherwise once a device has a valid cert, it's harder to bump them from your network.
11-06-2015 02:53 PM
Sure, as long as your authorization rule doesn't try to match anything like an AD group, you should be fine with EAP-TLS with no AD integration.
11-08-2015 10:50 AM
But how can I make sure that the certificate is valid and offered by a valid CA ?
11-10-2015 06:03 AM
you have to import the CA as a trusted cert.
When you create your Authz rule you should have some identifying info from that specific cert chain ie.CN ends with "mydomain.com"
Just make sure you correctly setup ISE to go and get the CRL from your CA server otherwise once a device has a valid cert, it's harder to bump them from your network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide