06-17-2019 04:32 AM - edited 06-17-2019 04:53 AM
Hello,
I have a customer who uses Lightspeed as an MDM for ipads with PSK. The lighspeed can not be intergrated with ISE and does not have option to generate certificates. The customer wants to use certificates instead for PSK as it is consider more secure.
So the question is: What would be the best and most secure option to autheticate the devices in this case ? I have to generate indentity certificate n ISE, upload it to MDM and push it to alle devices then I was thinking to maybe utilize rules on ISE for authorization with EAP-TLS and in addition to that get them registered via byod portal ( link bellow) and then use an extra check " device registered yes".
or
I can download all mac addresses from MDM and use it as extra protection in rules.
What security experts would recomend ?
Solved! Go to Solution.
06-17-2019 07:18 AM
To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.
JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app
I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?
JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion
If thats a case so the only option I see is to use IPSK until they get a proper MDM ?
JAK> IPSK might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS. the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated
06-18-2019 06:09 AM
06-17-2019 05:17 AM
06-17-2019 06:15 AM
Thanks Jason for the answer :)
To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.
I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?
If thats a case so the only option I see is to use IPSK until they get a proper MDM ?
06-17-2019 07:18 AM
To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.
JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app
I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?
JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion
If thats a case so the only option I see is to use IPSK until they get a proper MDM ?
JAK> IPSK might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS. the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated
06-18-2019 04:59 AM
Thank for all the tips :) You open my eyes for many aspects
To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads.
JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app
## Those devices were provisioned for MDM by dedicated teachers as It maybe difficult for 7 years old kid to do it.
I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?
JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion
##True :)
If thats a case so the only option I see is to use IPSK until they get a proper MDM ?
JAK> IPSK might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS. the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated
##This would not be most optimal solution in this case.
What do think about just simply using PEAP with profiling or identity groups ?
06-18-2019 06:09 AM
06-20-2019 01:01 AM
Thats the way to go I suppose. Thanks a lot for help my friend :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide