Solved: mschap v2

bluesea2010 · ‎07-15-2022

Hi,

I have the following coprporate clients , windows and ios ,I want to avoid mschap v2 , what is the alternative

and byod clients are windows ios and android

Thanks

Rob Ingram · ‎07-16-2022

@bluesea2010 yes the users could just enter their username/password (mschapv2) but that's considered insecure.

For a BYOD environment you can onboard the end users personal endpoints via the ISE BYOD portal and provision a CA signed endpoint certificate as well as configure the network interface and OS native supplicant to utilise this certificate for network access. This functionality requires an ISE Plus license.

View solution in original post

Rob Ingram · ‎07-15-2022

@bluesea2010 for corporate devices use certificates (EAP-TLS) issued by an internal Cetificate Authority via Group Policies.

For BYOD devices usually you'd use the ISE internal CA.

bluesea2010 · ‎07-15-2022

Hi,

So the alternative of mschapv2 is only eap-tls

If I use ise internal ca for byod , how I can i deploy these certificate in BYOD devices

Thanks

Rob Ingram · ‎07-15-2022

@bluesea2010 you can use the BYOD portal to enroll for certificates on the BYOD devices. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-694972267

bluesea2010 · ‎07-15-2022

Hi @Rob Ingram

I have only base license , does it require profiling

Thanks

Rob Ingram · ‎07-15-2022

Hi @bluesea2010 you would need Plus licensing if you use BYOD.
Profiling is not a requirement for BYOD or using certificates for 802.1x authentication if that was your question.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/m_ise_man_license.html

bluesea2010 · ‎07-15-2022

Hi,

I could see that BYOD need plus licensing , but in my case I have only base license .

In that case what will I miss in terms of BYOD . (Currently non corporate devices are connecting to the corporate wifi , Can I call this as byod ? )

Thanks

ahollifield · ‎07-15-2022

Yes, this is precisely the use-case for BYOD.

bluesea2010 · ‎07-15-2022

Hi ,

My question why byod need plus licensing , I have only base license but still I am allowing non corporate device. I mean still users can connect their personal devices using dot1x (peap mschapv2)

Thanks

ahollifield · ‎07-15-2022

If you want to use BYOD, ISE requires Plus/Advantage licensing per endpoint.

bluesea2010 · ‎07-15-2022

Hi @ahollifield

Sorry I could not make clear my question , sorry for my english . , I don't have plus licenses but still users can connect to the wifi using dot1x peap mschapv2 . Since users can connect their personal devices using base license , why do we need plus license

Thanks

Rob Ingram · ‎07-16-2022

@bluesea2010 yes the users could just enter their username/password (mschapv2) but that's considered insecure.

For a BYOD environment you can onboard the end users personal endpoints via the ISE BYOD portal and provision a CA signed endpoint certificate as well as configure the network interface and OS native supplicant to utilise this certificate for network access. This functionality requires an ISE Plus license.