This discussion is locked

Ask the Experts: iPads on Your Network

Unanswered Question
Aug 12th, 2011

Read the bioWith Saurabh Bhasin

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about iPads on Your Network and how you can securely on-board employee-owned devices while protecting your network with Cisco expert Saurabh Bhasin. Saurabh has been involved with various wireless technologies over the years, since the first days of 802.11 becoming a standard and, more recently, with the evolution of the wireless industry to 802.11n. Saurabh has been with the Cisco Wireless Networking Business Unit for about five years, and in this role, he has worked closely with Cisco technology partners (enabling advanced services over wireless networks), leading key architectural features and training various members of the Cisco and partner community in person or through the numerous papers he has authored. Most recently, Saurabh has been leading the product strategy for Cisco's network management efforts. In his past, Saurabh has also authored numerous articles for reputable industry publications, and contributed to open source projects.

Remember to use the rating system to let Saurabh know if you have received an adequate response.

Saurabh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless,Other Mobility Subjects discussion forum shortly after the event. This event lasts through August 26 , 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (2 ratings)
Farrukh Haroon Wed, 08/17/2011 - 01:34

Hello Saurabh Bhasin


Welcome to the forum, so that do you recommened to contain these devices on a corproate network.

Can can network be secured from these devices?

Regards

Farrukh

sabhasin Wed, 08/17/2011 - 09:24

Hello Farukh,

The network can be secured from these devices. However, to your question about "

do you recommened to contain these devices on a corproate network" - that's entirely up to the corporate/organizational policy of what should be done with employee-owned assets. There's a lot of organizations that follow one of the three models below:

1. Allow them free access

2. Allow them limited access (let's say, to the internet, or parts of the intranet)

3. Deny them any access.

There's also some others who look at #3 above, and perform additional checks before moving them in to #2 or #1 states above.

-Saurabh

mohsin-raza Wed, 08/17/2011 - 06:45

Hi Saurabh,

We have few IPAD users who want to connect through VPN. They are using the builtin IPSEC vpn client, but when they try to login through the credentials that we provide, they dont get connected without any warning etc. On the ASA, it shows in the log that "SA parameters do not match". This has been verified that the credentials being used are correct and they work on a normal computer..

Stephen Rodriguez Wed, 08/17/2011 - 10:44

Saurabh,

     I've heard we can use ISE/WISE to help with the iPad issues.  Can you speak to how this will help?

Cheers,

Steve

sabhasin Wed, 08/17/2011 - 14:37

Steve,

I am not sure what "WISE" is - that you reference, but yes, NCS and ISE provide a great way to provide visibility and control in to iPads and other tablets on a network. I'd certainly suggest looking at the following:

ISE Fundamentals:

http://www.youtube.com/watch?v=qZoEgLp6N0Q

Also, I recently did a TechWise TV episode that showcases the NCS and ISE integration. There's 3 parts to this video, and here's a link:

http://www.youtube.com/watch?v=ce_grICxU-4&feature=related

Let me know if you need additional details!

-Saurabh

George Stefanick Wed, 08/17/2011 - 14:43

Sabhasin,

New to ISE, here. Does every device require a certificate ? Or are devices with no certificates deemed guest or rogues ? Can you touch on that quick ?

sabhasin Thu, 08/18/2011 - 08:42

Hi George,

Certs are not required (not the only way to get devices on the network) but they're a common way of distinguising employees from ones who're not (guests/rogues).

Let me know if you have any follow-up questions.

-Saurabh

romainpage Thu, 08/18/2011 - 01:30

Hi Saurabh,

With the increase of iOS devices connected to Wireless networks (Iphone / IPAD / IPOD), do you validate your new WLC versions with the current iOS version ? In the same way, do you validate new iOS versions (for example the planned 5.0) with the current WLC versions ?

The iPAd 802.1X supplicant for example is really basical from users point of view, a small change in its code could prevent it from working with the Cisco wireless architecture and even if it would be Apple's fault, it would end with a "Cisco wireless issue"...so checking on this would prevent you big issues as people upgrade their device all the time.

Even with that increase of iPADs, I did not seen any Cisco configuration best practices paper for such devices, are you planning to write one ? When configuring a SSID, I was told to disable "Aironet extension", which seems pretty obvious, but are there any other best practices that could be applied ?

In the same way, which EAP authentication recommended for such devices ? All or some wouldn't work ? One again, any options to enable/disable at ACS level to make them work better ?

Thanks.
Romain

sabhasin Thu, 08/18/2011 - 09:44

Hi Romain,

We certainly do validate our controller releases with a variey of devices - including Apple's iOS-based devices. You can get more information about the program that validates our software/hardware with vendors' devices here - the program is called Assurewave.

http://www.cisco.com/en/US/netsol/ns779/networking_solutions_program_category_home.html

While we'd also like to test pre-released software - we do that on a case-by-case basis as that software is made available to us by our partners. Additionally, you might want to see the whitepaper referenced by Scott Simkin above as well (for best practices).

EAP types are more of a device-related question - however, the most commonly used and deployed EAP types are supported by the Cisco WLAN infrastructure.

Hope this helps,

Saurabh

sabhasin Mon, 08/22/2011 - 09:16

hi ewood2624:

ISE will support TACACS+ in an upcoming release. When compared to ACS, ISE does offer significant improvements/additions in functionality - specifically around the posture assessment and profiling capabilities. Take a look at this video (the power of Cisco ISE: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/vds_power_of_ise.html) for example. More information is also available at www.cisco.com/go/ise.

Saurabh

ewood2624 Fri, 08/19/2011 - 06:42

We have our iPads segregated on a DMZ VLAN with 802.1x and dynamic vlan assignments through ACS 5.x.  What are the comparisons between ACS and ISE, other than the NAC functionality of ISE?  I'm leary of upgrading to ISE because it doesn't do TACACS.  Any chance Cisco creates any mobile device management software?

jmprats Mon, 08/22/2011 - 00:27

Hi Saurabh,

I've configured IPAD IPSec VPN with PSK against an ASA firewall. Do you know any good document for setting VPN IPSec with certificates?

Thanks

eric-arup Mon, 08/22/2011 - 09:06

Id really like to see this part of "romainpage" question expanded on Saurabh if you could please.

romainpage wrote:

Even with that increase of iPADs, I did not seen any Cisco configuration best practices paper for such devices, are you planning to write one ? When configuring a SSID, I was told to disable "Aironet extension", which seems pretty obvious, but are there any other best practices that could be applied ?

One of the reasons I ask is I see some people throwing iPads on their wireless networks, usually an acs is involved and they just grab the eap cert on the acs.  But recently I have seen a fair number of people having the iPads execute VPN internally in addition to the EAP of the wireless network.  Probably depends on the enviroment and the type of data involved but it seemed like an odd configuration to me.  Would be nice to know what the best practice is from cisco on how these types of devices should be connected in an official context.

thanks

e-

sabhasin Mon, 08/22/2011 - 09:34

Hi Eric,

The Cisco technical marketing team is working on a detailed document along these lines and is expecting to publish that in a month approximately.

As you note, there's several ways for people to get mobile devices/tablets on the network and VPN is deemed the most common way of doing so; it's overlay, and it's isolated without having to change much on the infrastructure - seems odd to me as well though. However, with ISE and its profiling capabilities, you're able to build a better policy around understanding the nature of devices being connected, and then take appropriate actions based on corporate policies.

We'll address similar deployment scenarios in an upcoming document as noted above.

Thanks,

Saurabh

eric-arup Mon, 08/22/2011 - 10:02

Marketing eh?  I was hoping for something a little more technical and something a little less sales. 

e-

sabhasin Mon, 08/22/2011 - 10:23

ha well, they're more technical, and less marketing! The deployment guides usually focus on detailed examples.

-S

Ronald Nutter Mon, 08/22/2011 - 09:45

I have been requested by management at my company to set up this type of access.  We are currently doing what I will call profiling on all incoming windows connections so that we can look for a registry key and one other piece of info that will let us identify the machine as a corporate versus personal machine.

I understand that functionality is not currently in the Anyconnect mobile offering at this point.  This makes me very concerned about opening up this type of access.  Any idea as to if this is on the roadmap and when it might be available ?

Ron

tdoyle@webadt.com Tue, 08/23/2011 - 08:55

I have a few customers that have problems with iPad's (original iPads) that can't stay connect to any one SSID for very long.  They jump from SSID to SSID even though they've only been setup for once SSID per site.  All of the environments are controller based with multiple SSID's.  It's especially bad (meaning dropping connections) if the SSID's are setup for WPA2/PSK.  I have better luck using a "Guest" SSID and forcing users to use Web Auth (but this is NOT the solution that the customers are looking for at this time).   Any ideas / suggestions?

sabhasin Tue, 08/23/2011 - 09:51

tdoyle: we've not heard about this specific issue before. Perhaps these iPads are jailbroken that's resulting in such behavoir? our experts tell us they've not heard this as a common theme or as a known issue with the Wilreless LAN Controllers. However, what would be interesting to know is whether you're using AP Groups and to make sure you have WLANs and APs mapped correctly?

-Saurabh

sakhiewl Tue, 08/23/2011 - 09:57

Hi Sauraph,

I’ve a problem with using AirPrint on iPad to print at HP printer under wireless infrastructure (WLC built-in 3750 switch with Software Version: 7.0.98.0) which iPad can only find the printer some time (most of the time it cannot see the printer). I’ve tried to turn on broadcast, multicast and AP multicast group on the WLC to support bonjour service on iPad, but AirPrint on iPad still has printing problem.

Could you please advise me how to configure WLC to fully support AirPrint service on iPad?

Thank you in advance and regards,

-Sakon

tdoyle@webadt.com Tue, 08/23/2011 - 10:00

Upgrade to 7.0.98.116 or later.

7.0.98 is buggy

Tom Doyle

Solutions Architect

Single Path, LLC

905 Parkview Blvd

Lombard, IL 60148

Cell: 815-325-0177

IP Phone: 630-812-2353

FAX to Email: 630-303-5489

Email: tdoyle@singlepath.com

sabhasin Tue, 08/23/2011 - 10:15

hi Sakon - certainly suggest upgrading to the next release in the 7.0 train. That release does introduce some fixes over the 7.0.98.0 version. For AirPrint, multicast needs to be enabled on your network and printers and iPads on the same subnet. Could you please verify that's the case?

Settings that would need checked:

  • Broadcast forwarding enabled
  • IGMP Snooping enabled
  • Multicast mode enabled (and configure the group address)


sakhiewl Tue, 08/23/2011 - 20:11

Hi todyle and Saurabh,

Thank you for the answer I will upgrade WLC to latest version and configure it as your suggestion.

eoinwhite Wed, 08/24/2011 - 08:27

Hello Saurabh,

I have a customer who sees iPhone and Android devices popping up on the network. They are logging in via the corporate wireless network using PEAP MS-Chapv2 using their AD credentials on the iPhone/Android.

Without going down the route of MAC address filtering or certs. How can I prevent unauthorized devices from accessing the network?

Is ISE able to profile these devices without installing client side software such as anyconnect?

Thanks in advance,

Eoin.

sabhasin Wed, 08/24/2011 - 11:02

Hello Eoin,

Yes - the ISE is able to profile iPhones and Androids without any extra software on the clients.

-Saurabh

eoinwhite Wed, 08/24/2011 - 11:06

Saurabh,

Thanks for the reply. I'd love to know how Cisco achive this and how I can implement it using ISE. Can you point me to the right document where this is outlined.

Regards,

Eoin.

MARLIE JOSEPH Wed, 08/24/2011 - 14:24

In looking at the comments to your post, should we think that Cisco is moving away from using the ACS as access authorization control.  Is ISE a replacement for ACS? If a company were to make an investment for new hardware would you recommend the ACS 5.x or the ISE? For VPN, wireless and network access/authorization.  Does this play well with windows 2008/ldap or active directory with multiple domains and trust relationships.

thanks

sabhasin Thu, 08/25/2011 - 09:21

m-joseph,

Cisco ISE is the next generation identity and access control solution. New investments should certainly consider ISE but please do note that the ISE will subsume the ACS target use-cases over time as we work towards a multi-phase transition of the products. I'd certainly suggest evaluating current ISE capabilities to ensure it meets the use-cases you look to address.

-Saurabh

MARLIE JOSEPH Thu, 08/25/2011 - 10:24

Thanks for your response. Did you give a talk on this for the discussion? I am looking for some more information.

sabhasin Thu, 08/25/2011 - 10:47

If you're looking for some videos and addiitional information on ISE, please visit www.cisco.com/go/ise

Saurabh

Actions

Login or Register to take actions

This Discussion

Posted August 12, 2011 at 3:19 PM
Stats:
Replies:36 Avg. Rating:3
Views:10865 Votes:0
Shares:0

Related Content

Discussions Leaderboard