Solved: BYOD Registration Only

Saius Exus · ‎09-25-2016

Hi all,

I am running an ISE 2.1 and playing around with BYOD right now. The solution for Android with the App download is IMHO pure garbage. Can't just allow full internet access and downloading an App is also not ideal.

So I am running it witout provisioning. Found the same configuration here: https://supportforums.cisco.com/blog/12705471/ise-byod-registration-only-without-native-supplicant-or-certificate-provis…

The problem now is that I can't check if our root CA is installed on the client.

Without using the certificate the connections are vulnerable of identity theft. Is there a way to get the root ca certrificate that signed the eap cert of ISE to the clients? Or is it possible to check from ise if the root certificate is installed on the clients and used for the server identity check? As of now I am out of ideas how to handle this nicely.

Regards

Saius

Craig Hyps · ‎09-25-2016

To allow changes to client, it is necessary to leverage some client software. Unlike Apple iOS, there is not OTA option with Android to facilitate such provisioning. Therefore, a helper made available on standard app store is used. Realize that by default, other app stores are untrusted and expecting client to override default security to allow download from untrusted store is not ideal option. Since the trusted store is used, end user could certainly download via off-prem or direct data connection and not over WLAN. To allow access over WLAN, it is possible to leverage DNS-based ACLs on WLC so not to require full Internet access. ACLs based on known IP addresses for the app store are also possible, but tend to be regional and more dynamic, so more difficult to maintain.

Yes, it is possible to on-board and register only, meaning that the MAC address will be registered to the owner and to a specific Identity Group based on the user's login privileges (for example, AD/LDAP group membership or attribute matches).

EAP-TLS authentication naturally checks that client has trusted CA cert during mutual authentication process. It is possible to post the cert from portal so that client could download, but some clients require that cert be imported specifically into profile where client cert is assigned. Some clients will prompt during auth process to trust the EAP cert from PSN and allow direct import. There is not direct check from ISE to verify the root/trust store on client. That begs the whole concept of trust to allow some untrusted entity to check my cert stores, no?

Another alternative to ISE supplicant and cert provisioning is to integrate with one of the many MDMs that offer this capability. Based on your assessment, I expect you have another vendor that you prefer to use and good chance could be integrated with ISE. If there is a flow you are aware of that does not entail the downloading of some Android app from Google Playstore, it is recommended to engage your local security SE/CSE to ensure the requirements are detailed to our product management team. We are always interested in opportunities to improve the flow and process.

Craig

View solution in original post

Craig Hyps · ‎09-25-2016

To allow changes to client, it is necessary to leverage some client software. Unlike Apple iOS, there is not OTA option with Android to facilitate such provisioning. Therefore, a helper made available on standard app store is used. Realize that by default, other app stores are untrusted and expecting client to override default security to allow download from untrusted store is not ideal option. Since the trusted store is used, end user could certainly download via off-prem or direct data connection and not over WLAN. To allow access over WLAN, it is possible to leverage DNS-based ACLs on WLC so not to require full Internet access. ACLs based on known IP addresses for the app store are also possible, but tend to be regional and more dynamic, so more difficult to maintain.

Yes, it is possible to on-board and register only, meaning that the MAC address will be registered to the owner and to a specific Identity Group based on the user's login privileges (for example, AD/LDAP group membership or attribute matches).

EAP-TLS authentication naturally checks that client has trusted CA cert during mutual authentication process. It is possible to post the cert from portal so that client could download, but some clients require that cert be imported specifically into profile where client cert is assigned. Some clients will prompt during auth process to trust the EAP cert from PSN and allow direct import. There is not direct check from ISE to verify the root/trust store on client. That begs the whole concept of trust to allow some untrusted entity to check my cert stores, no?

Another alternative to ISE supplicant and cert provisioning is to integrate with one of the many MDMs that offer this capability. Based on your assessment, I expect you have another vendor that you prefer to use and good chance could be integrated with ISE. If there is a flow you are aware of that does not entail the downloading of some Android app from Google Playstore, it is recommended to engage your local security SE/CSE to ensure the requirements are detailed to our product management team. We are always interested in opportunities to improve the flow and process.

Craig