cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
6
Replies

Same certificate for all devices vs PSK or IPSK ?

piotrPaszk
Level 1
Level 1

Hello,


I have a customer who uses Lightspeed as an MDM for ipads with PSK. The lighspeed can not be intergrated with ISE and does not have option to generate certificates. The customer wants to use certificates instead for PSK as it is consider more secure.

So the question is: What would be the best and most secure option to autheticate the devices in this case ? I have to generate indentity certificate n ISE, upload it to MDM and push it to alle devices then I was thinking to maybe utilize rules on ISE for authorization with EAP-TLS and in addition to that get them registered via byod portal ( link bellow) and then use an extra check " device registered yes".

 

https://community.cisco.com/t5/security-blogs/ise-byod-registration-only-without-native-supplicant-or/ba-p/3099290

 

or

 

I can download all mac addresses from MDM and use it as extra protection in rules. 

 

What security experts would recomend ?

2 Accepted Solutions

Accepted Solutions


 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated


 

View solution in original post

Sounds like PEAP will have to do then.
Teachers will need to enter the credentials. Maybe special credentials just for iPad access?

You can manually put them into special endpoint groups for access controls or dynamically do this with profiling and device sensor if you know only iPads used by this group of people

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee
A couple holes here, provided I have all the information? You didn’t say the type of devices and why you’re talking only about PSK?

If the MDM doesn’t integrate with or distribute certificates then it has no relevance to be able to integrate or provide any useful authentication

A list of Mac addresses is not secure

If these are windows android Apple devices then the recommendation is to use BYOD flow with certificates. This is EAP-TLS

Otherwise there is no solution for PSK and certificate based authentication with Ise as PSK doesn’t really setup any secure authentication with AAA besides MAB And a key exchange for the controller to use

Did you see this article?

https://community.cisco.com/t5/security-documents/cisco-ise-amp-wlc-wpa2-psk-wlan-per-device-passphrase-ipsk/ta-p/3644425


Thanks Jason for the answer :)

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?


 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated


 

Thank for all the tips :) You open my eyes for many aspects

 

To use BYOD flow with certificates in this case would be very cumbersome as there are 5000 apple ipads. 

JAK > BYOD flow is for each user to do their own onboard, please check out the prescriptive guide at http://cs.co/ise-byod. Even with an MDM the user has to onboard the device with the app

 

## Those devices were provisioned for MDM by dedicated teachers as It maybe difficult for 7 years old kid to do it. 

 

I am not sure about that but when a device is under managment of MDM so you will not be allowed to go through BYOD ?

JAK> your MDM has no way to manage certificates for EAP-TLS or integrate with ISE , therefore is has no relevance to this flow or discussion

 

##True :)

 

If thats a case  so the only option I see is to use IPSK until they get a proper MDM ?

JAK> IPSK  might be an option depending on what you want to do. It is more secure than MAB but per the guide i shared you there is some setup and management of the devices and wont be secure like EAP-TLS.  the user will need to copy paste the key you send to them. you can integrate BYOD without native supplicant and certificate provisioning like you stated

 

##This would not be most optimal solution in this case.

 

What do think about just simply using PEAP with profiling or identity groups ?

Sounds like PEAP will have to do then.
Teachers will need to enter the credentials. Maybe special credentials just for iPad access?

You can manually put them into special endpoint groups for access controls or dynamically do this with profiling and device sensor if you know only iPads used by this group of people

Thats the way to go I suppose.  Thanks a lot for help my friend :)