07-22-2020 02:20 AM - edited 07-05-2021 12:18 PM
Hi to all,
I am planning to create a Byod wireless network.
Using Cisco Ise 2.7 and Cisco WLC 5508 8.0.133.
At the begginning, I ' d like to use authentication EAP-TLS, for the Endpoints.
But then I have checked Apple iphones stating from iOS 11 do not accept anymore private Certificates.
My Company do not want have reccuring costs about PKI.
My Idea is to create two different SSID for exsample BYODAPPLE and BYODOTHERS, and use two different authentication methods:
BYODAPPLE
will use EAP-FAST
BYODOTHERS
Will use EAP-TLS with Private signed CA
It is possible? There are some limitation on the ISE or WLC?
Bye,
Igor.
07-22-2020 08:36 PM
07-23-2020 12:20 AM
Hi Francesco,
The Apple iOS devices support EAP-TLS, I am sure about it.
But if I decide to use EAP-TLS I must use certificates to authenticate the server and the endpoints.
I'd like to use private Certificate Signed by our internal CA, but Apple starting from iOS 11 do not accept private certificate anymore.
So I am planning to use for Apple Devices EAP-FAST, that use PAC instead of certificates to authenticate the server and the endpoints. But yesterday I found a Apple official document that also for EAP-FAST require a certificate!?
See the link below pls:
https://support.apple.com/it-it/guide/mdm/mdm5d180f86a/web
Anyway thank you for the ISE policy advice, it is very helpfull. So If I can define two different policy each one with a different authentication method, is it possibile to associate both policies to one SSID? Then if the andpoint is an Apple device the authentication method will be EAP-FAST, If the endpoint is a Android the authentichation method will be EAP-TLS with private certificates?
Bye,
Igor.
07-30-2020 02:33 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: