With Saurabh Bhasin
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about iPads on Your Network and how you can securely on-board employee-owned devices while protecting your network with Cisco expert Saurabh Bhasin. Saurabh has been involved with various wireless technologies over the years, since the first days of 802.11 becoming a standard and, more recently, with the evolution of the wireless industry to 802.11n. Saurabh has been with the Cisco Wireless Networking Business Unit for about five years, and in this role, he has worked closely with Cisco technology partners (enabling advanced services over wireless networks), leading key architectural features and training various members of the Cisco and partner community in person or through the numerous papers he has authored. Most recently, Saurabh has been leading the product strategy for Cisco's network management efforts. In his past, Saurabh has also authored numerous articles for reputable industry publications, and contributed to open source projects.
Remember to use the rating system to let Saurabh know if you have received an adequate response.
Saurabh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless,Other Mobility Subjects discussion forum shortly after the event. This event lasts through August 26 , 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Hello Saurabh Bhasin
Welcome to the forum, so that do you recommened to contain these devices on a corproate network.
Can can network be secured from these devices?
The network can be secured from these devices. However, to your question about "
do you recommened to contain these devices on a corproate network" - that's entirely up to the corporate/organizational policy of what should be done with employee-owned assets. There's a lot of organizations that follow one of the three models below:
1. Allow them free access
2. Allow them limited access (let's say, to the internet, or parts of the intranet)
3. Deny them any access.
There's also some others who look at #3 above, and perform additional checks before moving them in to #2 or #1 states above.
We have few IPAD users who want to connect through VPN. They are using the builtin IPSEC vpn client, but when they try to login through the credentials that we provide, they dont get connected without any warning etc. On the ASA, it shows in the log that "SA parameters do not match". This has been verified that the credentials being used are correct and they work on a normal computer..
It appears that this may be related to a misconfiguration at the ASA and it's likely a mismatch of the IKE and ISAKMP policy.
Here's a reference link:
I would suggest to work with our TAC organization who can help you with the right configuration.
I've heard we can use ISE/WISE to help with the iPad issues. Can you speak to how this will help?
I am not sure what "WISE" is - that you reference, but yes, NCS and ISE provide a great way to provide visibility and control in to iPads and other tablets on a network. I'd certainly suggest looking at the following:
Also, I recently did a TechWise TV episode that showcases the NCS and ISE integration. There's 3 parts to this video, and here's a link:
Let me know if you need additional details!
New to ISE, here. Does every device require a certificate ? Or are devices with no certificates deemed guest or rogues ? Can you touch on that quick ?
Certs are not required (not the only way to get devices on the network) but they're a common way of distinguising employees from ones who're not (guests/rogues).
Let me know if you have any follow-up questions.
We have a brand new White Paper that covers securely on-boarding employee owned devices and how to handle BYOD from an IT perspective. You may find it helpful:
With the increase of iOS devices connected to Wireless networks (Iphone / IPAD / IPOD), do you validate your new WLC versions with the current iOS version ? In the same way, do you validate new iOS versions (for example the planned 5.0) with the current WLC versions ?
The iPAd 802.1X supplicant for example is really basical from users point of view, a small change in its code could prevent it from working with the Cisco wireless architecture and even if it would be Apple's fault, it would end with a "Cisco wireless issue"...so checking on this would prevent you big issues as people upgrade their device all the time.
Even with that increase of iPADs, I did not seen any Cisco configuration best practices paper for such devices, are you planning to write one ? When configuring a SSID, I was told to disable "Aironet extension", which seems pretty obvious, but are there any other best practices that could be applied ?
In the same way, which EAP authentication recommended for such devices ? All or some wouldn't work ? One again, any options to enable/disable at ACS level to make them work better ?
We certainly do validate our controller releases with a variey of devices - including Apple's iOS-based devices. You can get more information about the program that validates our software/hardware with vendors' devices here - the program is called Assurewave.
While we'd also like to test pre-released software - we do that on a case-by-case basis as that software is made available to us by our partners. Additionally, you might want to see the whitepaper referenced by Scott Simkin above as well (for best practices).
EAP types are more of a device-related question - however, the most commonly used and deployed EAP types are supported by the Cisco WLAN infrastructure.
Hope this helps,
ISE will support TACACS+ in an upcoming release. When compared to ACS, ISE does offer significant improvements/additions in functionality - specifically around the posture assessment and profiling capabilities. Take a look at this video (the power of Cisco ISE: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/vds_power_of_ise.html) for example. More information is also available at www.cisco.com/go/ise.
We have our iPads segregated on a DMZ VLAN with 802.1x and dynamic vlan assignments through ACS 5.x. What are the comparisons between ACS and ISE, other than the NAC functionality of ISE? I'm leary of upgrading to ISE because it doesn't do TACACS. Any chance Cisco creates any mobile device management software?
There's a lot of good examples and documents here: http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Hope it helps,