Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
5
Helpful
2
Replies

Most secure way to identify wireless clients - certificates

roger perkin
Level 2
Level 2

‎03-11-2014 04:07 AM - edited ‎07-05-2021 12:23 AM

I am deploying a Wireless POC using a Cisco 3800 switch as the WLC and an AIR-CAP2602-I-E-K9 AP

I will be using a Windows 2012 Server running NPS as the Radius.

My question lies around certificates and I am looking at the most secure way to identify a laptop or not in the case of a non corporate device.

Do I deploy the same certificate to every device? Can I depoly a different certiicate so it could be revoked?

I am looking for some resources on this but currently not sure where to start.

Thanks

Roger

Labels:
0 Helpful
2 Replies 2

Scott Fella
Hall of Fame
Hall of Fame

‎03-11-2014 05:20 AM

Well the only or best way to secure non domain computers if you need them on your internal network is to use certificates, but you would have to generate a certificate for each machine.  This would be a long process....   Another way is to use an MDM for mobile devices or Cisco ISE that can push out certificates or configuration to a non domain machine for ease of authenticating using a certificate.  Not cheap solutions though.  Non-domain is a bit more difficult and you will not find an easy route of doing these.  There are many articles, but you will just have to give it a shot.

http://technet.microsoft.com/en-us/library/cc772401%28v=ws.10%29.aspx

 

-Scott
*** Please rate helpful posts ***

Florin Barhala
Level 6
Level 6

‎03-11-2014 06:32 AM

Hello Roger,

In a perfect world/scenario the each wireless device should do a certificate request to the CA.

CA administrator sees the request and based on the device identification, signs the certificate. Then the requester gets the certificate and based on that it can authenticate to your wireless infastructure.

 

In most production scenarios: how does the requester establish communication with CA so he can make the request/receive the signed request if he doesn't have access to wireless?

One workaround would be that first time the requester have access to a temporary GUEST network where he does the aforementioned process. Then with all things set, the wireless requester can successfully authenticate to your target Wireless network. 

 

To answer your questions:

 - each wireless device will use its own certificate;

 - if for some reason you decide not to allow one device, you just revoke its certificate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card