Showing results for 
Search instead for 
Did you mean: 

cert for machine+ guest access


i am working on a solution to provide internet(only) to our Scanners Android based.

we have WLC 5520 and ISE for integration. My solution was to configure L2 auth with PSK, since its only internet as we are separating form our internal network (similar to guest WLAN solution)

But we are also working to find if there is any cert based auth on scanners. i dont want to connect these scanners to AD and access internal network.

Please help me with the traffic flow if there is any solution.





Everyone's tags (3)
Rising star

Re: cert for machine+ guest access

is it an option to install a non-windows-based PKI?

Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT


be aware using certificates may have some impact on battery time.

depending on the implementation on the device type it may need more CPU processing and use more power from the battery


Re: cert for machine+ guest access

you will have to first check if the scanners support certificate based authentication ?

Even if you did user/password (AD) based authentication, the scanners will never talk to AD directly, they will only talk to controller, controller will talk to ISE and ISE will talk to AD for identity verification.

you can choose to create a new AD group for scanners only and create a internet only authorization

-Rate helpful posts-

Re: cert for machine+ guest access

Thanks for replying.
If the scanners support,Should I need to install the certificate in ISE???
Also any document on this will be much helpful.


Re: cert for machine+ guest access

Yes you can, there are many guides for EAP-TLS deployment with ISE, here is a new one to get started.


I would recommend building this in a test lab and do all testings.


-Rate helpful posts-
Hall of Fame Master

Re: cert for machine+ guest access

If the devices are internet only, why even bother using certs?  Like the other poster mentioned, first you need to verify that the device can have certificates installed and that EQP-TLS is supported.  If its Android, it should, but as long as its not locked down.  How would you prevent exporting of the cert on the device to another device?  Again, you might be complicating things since this is only internet access.

*** Please rate helpful posts ***
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards