Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
0
Helpful
2
Replies

Mobile device EAP-TLS onboarding ?

Go to solution
tedauction
Level 1
Level 1

‎12-12-2018 08:55 PM - edited ‎07-05-2021 09:35 AM

Hello, I want to automatically on-board a wide variety of different cellphones i.e. iOS, Android, Windows phones.

I want users to initially connect to an unsecure 'onboarding' SSID and have their cellphone auto provisioned with a secure SSID i.e. EAP-TLS using a client certificate auto generated and installed on their cellphone along with the public certificate of our in-house self-signed root CA.

However, I understand that Android devices at least, prevent self-signed certificates from being easily installed in to their certificate stores thus my plan would fail.

Is anyone out there currently auto deploying an EAP-TLS SSID to a wide variety of different cellphone models ?

Thanks for any info ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jurgens L
Level 3
Level 3

‎12-12-2018 09:07 PM

Did a deployment a year back for Andriod version 4, 5 & 6, provided you keep you ISE patches up to date to keep up with the newer devices when it comes to onboarding, it went well.

Send you a private message of videos I created of the process end to end.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-12-2018 09:05 PM

Hi

Yes on every single ise deployment, customers want byod features.
I use a public certificate (not wildcard) for portals and eap authentication (even if for eap, when radius presents its public cert, most devices aren't trusting it). I, then, set ISE as subca for corporate pki (to avoid scep issues with customers pki. For few, we use their own windows pki srv with scep) to deliver clients certificates.
It works well.
Few tip though:
- in the middle of the process, on IOS, you need to manually go into settings and toggle the button to trust the radius cert otherwise the process fails.
- on some android (not the common vendor phones), sometimes, you need to ask users to download CNA before the enrollment process because during the process they're not able to download the app (even if acls are correct).

I'm doing byod with Cisco wlc, meraki and some 3rd party vendors.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Jurgens L
Level 3
Level 3

‎12-12-2018 09:07 PM

Did a deployment a year back for Andriod version 4, 5 & 6, provided you keep you ISE patches up to date to keep up with the newer devices when it comes to onboarding, it went well.

Send you a private message of videos I created of the process end to end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card