cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
511
Views
5
Helpful
3
Replies

BYOD with two different SSID and two different authentication methods

ifabrizio
Level 1
Level 1

Hi to all,

I am planning to create a Byod wireless network.

Using Cisco Ise 2.7 and Cisco WLC 5508 8.0.133.

At the begginning, I ' d like to use authentication EAP-TLS, for the Endpoints.

But then I have checked Apple iphones stating from iOS 11 do not accept anymore private Certificates.

My Company do not want have reccuring costs about PKI.

My Idea is to create two different SSID for exsample BYODAPPLE and BYODOTHERS, and use two different authentication methods:

BYODAPPLE

will use EAP-FAST

BYODOTHERS

Will use EAP-TLS with Private signed CA

It is possible? There are some limitation on the ISE or WLC?

 

Bye,

 

Igor.

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Not sure i got your point regarding IOS devices not supporting eap-tls. If you deploy byod feature and let's assume you use ise as internal CA (it works with any corporate PKI), during the byod onboarding process, you can surely deploy user certificates generated by internal PKI and then authenticate them with that certificate.

Now, if you still want to have 2 policies for 2 SSIDs, you can create 2 policy-set with airespace-wlanid as condition or (normalised radius attribute as well). Within each policy-sets, you'll be able to define specific authentication amd authorization policies.
Or you can have 1 policy-set with 2 authentication rules and then a common authorization rules for both SSIDs.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

The Apple iOS devices support EAP-TLS, I am sure about it.

But if I decide to use EAP-TLS I must use certificates to authenticate the server and the endpoints.

I'd like to use private Certificate Signed by our internal CA, but Apple starting from iOS 11 do not accept private certificate anymore.

 

So I am planning to use for Apple Devices EAP-FAST, that use PAC instead of certificates to authenticate the server and the endpoints. But yesterday I found a Apple official document that also for EAP-FAST require a certificate!?

See the link below pls:

 

https://support.apple.com/it-it/guide/mdm/mdm5d180f86a/web

 

Anyway thank you for the ISE policy advice, it is very helpfull. So If I can define two different policy each one with a different authentication method, is it possibile to associate both policies to one SSID? Then if the andpoint is an Apple device the authentication method will be EAP-FAST, If the endpoint is a Android the authentichation method will be EAP-TLS with private certificates?

Bye,

Igor.

Just wondering, why are you building a new setup with end of live hardware/software (WLC side)?
How about using WPA2-Enterprise with username/password?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: