cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17792
Views
32
Helpful
4
Comments
howon
Cisco Employee
Cisco Employee

In general it is recommended to minimize number of SSIDs. Also, if the guest access is using hotspot access then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time. With Single-SSID BYOD, the endpoint associates to a secure WLAN gets onboarded then after the endpoint automatically reconnects the endpoint is granted full network access via same WLAN.

single.png

If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.

dual.png

 

  Single SSID Dual SSID
Pros
  • User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user intervention
  • This is a unique capability of ISE where competitor solution forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal
  • Some organizations prefer having a dedicated SSID for on-boarding devices.
  • Can provide visible guidance to the user on the BYOD process before logging in
  • Better security: User can confirm that the BYOD server is legitimate as the user does not get prompted to manually trust the EAP certificate
  • ID Store is LDAP and cannot start with PEAP with MSCHAPv2 currently to LDAP store
  • Wired deployment where cannot assume client already has 802.1X enabled on wired interface
  • Can be configured to use secured SSID that is not broadcasting
  • In the case of dual-SSID flow, BYOD portal can be configured to allow guest access if employee does not want to go through the BYOD flow

Cons

  • When end users connect to the SSID for the first time there is no easy way to validate whether server provided certificate is from the trusted source
  • Fast-SSID change setting needs to be enabled on the WLC to accommodate iOS devices
  • Others see dual SSID as an extra management burden.
  • A second SSID adds channel overhead and may degrade wireless performance
  • Requires iOS users to manually switch SSID
Comments
GQ
Cisco Employee
Cisco Employee

Great consolidation.  I would add that I had a fairly consistent experience across the 4 major OS types using single SSID, so it seems like a strong candidate to me.

Perhaps the dual approach might be good if we're already using an open SSID for guests

Hello howon

 

You put "Fast-SSID change setting needs to be enabled" as a "con" to single-SSID solution (if i understand your table correctly)

Refering to : https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0100100.html#concept_oqt_gmv_4x__section_awc_yjr_fz

I understand that Fast-SSID needs to be enabled for dual-SSID solution, so i would have set this "con" for dual-SSID solution (so in the box on the right in your table)

 

Can you clarify that ?

Thanks,

Guillaume

howon
Cisco Employee
Cisco Employee

Guillaume, thanks, corrected. Surprising it was never brought up till now.

feene1
Level 1
Level 1

Isn't there a large risk when running Single SSID?  The user needs to make sure that the server cert is a trusted cert when authenticating with username and password.  Otherwise credentials could be taken by a rogue impersonator correct?  I have noticed some mobile platforms not taking invalid certs seriously ie Andriod. For that matter users... :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: