cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15911
Views
6
Helpful
36
Replies

Ask the Experts: iPads on Your Network

ciscomoderator
Community Manager
Community Manager

Read the bioWith Saurabh Bhasin

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about iPads on Your Network and how you can securely on-board employee-owned devices while protecting your network with Cisco expert Saurabh Bhasin. Saurabh has been involved with various wireless technologies over the years, since the first days of 802.11 becoming a standard and, more recently, with the evolution of the wireless industry to 802.11n. Saurabh has been with the Cisco Wireless Networking Business Unit for about five years, and in this role, he has worked closely with Cisco technology partners (enabling advanced services over wireless networks), leading key architectural features and training various members of the Cisco and partner community in person or through the numerous papers he has authored. Most recently, Saurabh has been leading the product strategy for Cisco's network management efforts. In his past, Saurabh has also authored numerous articles for reputable industry publications, and contributed to open source projects.

Remember to use the rating system to let Saurabh know if you have received an adequate response.

Saurabh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless,Other Mobility Subjects discussion forum shortly after the event. This event lasts through August 26 , 2011. Visit this forum often to view responses to your questions and the questions of other community members.

36 Replies 36

emwood2624: this might be another link to refer to for Cisco ISE FAQ: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html

jmprats
Level 4
Level 4

Hi Saurabh,

I've configured IPAD IPSec VPN with PSK against an ASA firewall. Do you know any good document for setting VPN IPSec with certificates?

Thanks

Eric Hansen
Level 1
Level 1

Id really like to see this part of "romainpage" question expanded on Saurabh if you could please.

romainpage wrote:

Even with that increase of iPADs, I did not seen any Cisco configuration best practices paper for such devices, are you planning to write one ? When configuring a SSID, I was told to disable "Aironet extension", which seems pretty obvious, but are there any other best practices that could be applied ?

One of the reasons I ask is I see some people throwing iPads on their wireless networks, usually an acs is involved and they just grab the eap cert on the acs.  But recently I have seen a fair number of people having the iPads execute VPN internally in addition to the EAP of the wireless network.  Probably depends on the enviroment and the type of data involved but it seemed like an odd configuration to me.  Would be nice to know what the best practice is from cisco on how these types of devices should be connected in an official context.

thanks

e-

Hi Eric,

The Cisco technical marketing team is working on a detailed document along these lines and is expecting to publish that in a month approximately.

As you note, there's several ways for people to get mobile devices/tablets on the network and VPN is deemed the most common way of doing so; it's overlay, and it's isolated without having to change much on the infrastructure - seems odd to me as well though. However, with ISE and its profiling capabilities, you're able to build a better policy around understanding the nature of devices being connected, and then take appropriate actions based on corporate policies.

We'll address similar deployment scenarios in an upcoming document as noted above.

Thanks,

Saurabh

Marketing eh?  I was hoping for something a little more technical and something a little less sales. 

e-

ha well, they're more technical, and less marketing! The deployment guides usually focus on detailed examples.

-S

Ronald Nutter
Level 1
Level 1

I have been requested by management at my company to set up this type of access.  We are currently doing what I will call profiling on all incoming windows connections so that we can look for a registry key and one other piece of info that will let us identify the machine as a corporate versus personal machine.

I understand that functionality is not currently in the Anyconnect mobile offering at this point.  This makes me very concerned about opening up this type of access.  Any idea as to if this is on the roadmap and when it might be available ?

Ron

tdoyle
Level 4
Level 4

I have a few customers that have problems with iPad's (original iPads) that can't stay connect to any one SSID for very long.  They jump from SSID to SSID even though they've only been setup for once SSID per site.  All of the environments are controller based with multiple SSID's.  It's especially bad (meaning dropping connections) if the SSID's are setup for WPA2/PSK.  I have better luck using a "Guest" SSID and forcing users to use Web Auth (but this is NOT the solution that the customers are looking for at this time).   Any ideas / suggestions?

tdoyle: we've not heard about this specific issue before. Perhaps these iPads are jailbroken that's resulting in such behavoir? our experts tell us they've not heard this as a common theme or as a known issue with the Wilreless LAN Controllers. However, what would be interesting to know is whether you're using AP Groups and to make sure you have WLANs and APs mapped correctly?

-Saurabh

Hi Sauraph,

I’ve a problem with using AirPrint on iPad to print at HP printer under wireless infrastructure (WLC built-in 3750 switch with Software Version: 7.0.98.0) which iPad can only find the printer some time (most of the time it cannot see the printer). I’ve tried to turn on broadcast, multicast and AP multicast group on the WLC to support bonjour service on iPad, but AirPrint on iPad still has printing problem.

Could you please advise me how to configure WLC to fully support AirPrint service on iPad?

Thank you in advance and regards,

-Sakon

Upgrade to 7.0.98.116 or later.

7.0.98 is buggy

Tom Doyle

Solutions Architect

Single Path, LLC

905 Parkview Blvd

Lombard, IL 60148

Cell: 815-325-0177

IP Phone: 630-812-2353

FAX to Email: 630-303-5489

Email: tdoyle@singlepath.com

hi Sakon - certainly suggest upgrading to the next release in the 7.0 train. That release does introduce some fixes over the 7.0.98.0 version. For AirPrint, multicast needs to be enabled on your network and printers and iPads on the same subnet. Could you please verify that's the case?

Settings that would need checked:

  • Broadcast forwarding enabled
  • IGMP Snooping enabled
  • Multicast mode enabled (and configure the group address)


Hi todyle and Saurabh,

Thank you for the answer I will upgrade WLC to latest version and configure it as your suggestion.

eoinwhite
Level 1
Level 1

Hello Saurabh,

I have a customer who sees iPhone and Android devices popping up on the network. They are logging in via the corporate wireless network using PEAP MS-Chapv2 using their AD credentials on the iPhone/Android.

Without going down the route of MAC address filtering or certs. How can I prevent unauthorized devices from accessing the network?

Is ISE able to profile these devices without installing client side software such as anyconnect?

Thanks in advance,

Eoin.

Hello Eoin,

Yes - the ISE is able to profile iPhones and Androids without any extra software on the clients.

-Saurabh

Review Cisco Networking for a $25 gift card