cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8420
Views
10
Helpful
17
Replies

ISE and iPads

George Stefanick
VIP Alumni
VIP Alumni

I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.

I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.

But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?

Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.

Any feedback is appreciated ..

p.s. I rate helpful post! LOL

Thank you!

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
17 Replies 17

koeppend
Level 4
Level 4

George

Unfortunately there is nothing within an iPad or iPhone which we can leverage as a unique identifier between a corporate SOE iPad and a BYO iPad.

E.g with a workstation deployment we could setup posture assessment to lookup a particular reg key in a windows box,....so this doesn't help us with apple iOS.

With idevices we can only match on the particular information we obtain though profiling and/or authentication, so we have to make authentication the differentiator.

Though all of my deployments, the only way I have found so far, is for the client to have a MDM solution installed and also have an internal CA installed.

Client deploys company issued iPads with internal certificates thought their MDM solution.

I usually deploy 2x separate SSIDs, one for corporate users, one for BYO.

I anchor the BYO SSID to another WLC that is out on the DMZ and the client then limit internal connectivity though the firewall.

The corporate SSID performs cert auth and the BYO SSID performs peap auth, if their BYO users are setup in AD or leap.

My ISE authorization rules are setup to match the different WLAN SSID identifier numbers and the authorization sources of ad or ldap.

Cisco will be releasing new ways to profile devices, maybe we will be able to leverage something unique in the future.

Dale

Sent from Cisco Technical Support iPad App

Do you know if Cisco will do a iPad app(client)  like Bradford?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

When you say a 'client'

Are you refering to the NAC agent for posture assessment?

or

Are you refering to the 802.1x supplicant such as Anyconnect for desktops?

Yes, like a NAC agent ...

I am thinking this could look more into the device.

Thanks again

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

We'll, I'm not 100% sure whats on the product path for ISE,

But I belive (and dont quote me) that the nac agent will eventually be programmed into the Anyconnect client.

So that the anyconnect client does both the 802.1x supplicant authentication and the posture assessment process.

Much like how anyconnect does it with ASA's and the host assessment process, if you have ever used this feature.

When this happens I can see a time where the NAC agent will become null and void.

Seeing Ipads and iphones have an anyconnect app out on the app store, we may see posture agent written into this app but with the limitied amout of exploits, trojans and virius which target the apple i at this stage of the Apple smartdevice timeline, I wouldnt hold your breath anytime soon.

There is nothing we really want to check on an ipad or iphone IMHO, no registry, no usable file structure (unless its JB), no real antivirus products, so my question would be why would we want to prosture check an iDevice at this stage.

Windows smart devices on the otherhand may need checking,... eg the Asus tables run a full version of Win7,... I say you would want to put these devices though posture assessment, so just use the existing nac agent and treat them like any other laptop or pc.

Dale

Hey I sent you a PM ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi Dale,

a bit late to ask this question I know, but what kind of machine cert templates did you deploy to your IPADs? Are they user certs of machine certs?

I am trying to understand the best way to deploy certs to our IPADs for Certificate authentication for wireless and VPN using the ISE.

That was, as you say, we can distinguish between a coporate IPAD and a BYOD.

thanks

Mario

jmarsal
Level 1
Level 1

ForeScout sells an alternative NAC product to Cisco ISE. It works with or without 802.1x, so it is typically easier to implement than Cisco's product, and it does a better job of working with unknown/unmanaged devices that don't have 802.1x agents already setup. ForeScout has several methods to determine whether the iPad is corporate-owned or personal-owned:

  • Did the device successfully authenticate via 802.1x?
  • Does the device contain a known MAC address?
  • Is there a “watermark” on the device?
  • Is the device manageable via the domain or a host-based agent (e.g. an MDM agent)?
  • Is the device running a specific process or application?
  • Is the device running the ForeScout Mobile app, or does it contain a ForeScout Mobile iOS policy?

More information about ForeScout's BYOD solutions are here:  http://goo.gl/cQQMV

@Jack

Wow,..really?

  • Did the device successfully authenticate via 802.1x? - ISE checks this by default, out of the box
  • Does the device contain a known MAC address? - ISE checks this by default, out of the box
  • Is there a “watermark” on the device? - just a fancy term profiling, ISE does this out of the box
  • Is the device manageable via the domain or a host-based agent (e.g. an MDM agent)? - ISE integrates natively into the 'domain', and has its own host based agent,....again, out of the box on ISE
  • Is the device running a specific process or application? - Posture assessment, works perfectly on ISE.
  • Is the device running the ForeScout Mobile app, or does it contain a ForeScout Mobile iOS policy? - Well this is a Cisco support forum, so we would probably check if Anyconnect is installed

Thx for stopping by....

Dale

Hahaha...I love it Dale.

I do wish we could posture assess an iPAD or other mobile device. And checking to see if the anyconnect client contained a profile would be nice too.

Yea, the best we will see is when ISE is integrated with a MDM. ISE can then check the MDM and see what is going on.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George, anyone,

Does ISE work with ASA in authenticating the user via radius and then pushing a dACL to it? I'm 80% sure it does. Also, can we confirm that the anyconnect client doe not replace the NAC Agent? the anyconnect client has its own posture module, and it doesnt work with ISE in any way, as far as I know. Just checking.

Aman

I was under the impression that to leverage the dACL feature, the NAD had to support the radius feature CoA change of authorization.

I was informed that the ASA does not yet support CoA.

I think you can perform simple authentication, it's just the authorization thats a little grey.

Anyconnect does not replace NAC agent.... yet.

Anyconnect does have its own posture assessment built in, but only the ASA can leverage this with the host assessment feature. That is, its not yet working with ISE and iPEPs for posture, but it does work as a 802.1x suppliant for wired and wireless connections.

Hope this helps

Dale

Sent from Cisco Technical Support iPad App

aman.diwakar
Level 1
Level 1

ACS was able to push dACLs to ASA using AV way back when in 4.x days, so this hasn't changed though the CoA is not yet supported. CoA is only used in posture scenarios to move between compliant and non compliant. For just authorization after authen, a dACL can be assigned.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: