ISE and iPads

Unanswered Question
Feb 29th, 2012

I have been playing with ISE for a few weeks now. I want to get the thoughts of other more experienced ISE users.

I have concluded, it is best to use EAP-TLS with CERTS to differentiate between corporate owned iPads and BYOD iPads. Although ISE does a great job finger printing. A user can log onto his BYOD iPad and enter his AD account and get on the production network. A cert would certainly fix this problem.

But, is there any other fail proof way without a certificate ? What are other folks doing to manage which iPad is which ?

Ive also concluded, I am not able to posture an iPad. I was thinking, since we use Zenprise as our MDM platform I could then use a service posture to see if it was running and if so, then determine by which, it was a corporate owned iPad. However, under the posture services, I only see windows OSs and no Apple love at all.

Any feedback is appreciated ..

p.s. I rate helpful post! LOL

Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
koeppend Mon, 03/05/2012 - 17:55

George

Unfortunately there is nothing within an iPad or iPhone which we can leverage as a unique identifier between a corporate SOE iPad and a BYO iPad.

E.g with a workstation deployment we could setup posture assessment to lookup a particular reg key in a windows box,....so this doesn't help us with apple iOS.

With idevices we can only match on the particular information we obtain though profiling and/or authentication, so we have to make authentication the differentiator.

Though all of my deployments, the only way I have found so far, is for the client to have a MDM solution installed and also have an internal CA installed.

Client deploys company issued iPads with internal certificates thought their MDM solution.

I usually deploy 2x separate SSIDs, one for corporate users, one for BYO.

I anchor the BYO SSID to another WLC that is out on the DMZ and the client then limit internal connectivity though the firewall.

The corporate SSID performs cert auth and the BYO SSID performs peap auth, if their BYO users are setup in AD or leap.

My ISE authorization rules are setup to match the different WLAN SSID identifier numbers and the authorization sources of ad or ldap.

Cisco will be releasing new ways to profile devices, maybe we will be able to leverage something unique in the future.

Dale

Sent from Cisco Technical Support iPad App

koeppend Sun, 03/11/2012 - 16:08

When you say a 'client'

Are you refering to the NAC agent for posture assessment?

or

Are you refering to the 802.1x supplicant such as Anyconnect for desktops?

George Stefanick Sun, 03/11/2012 - 17:10

Yes, like a NAC agent ...

I am thinking this could look more into the device.

Thanks again

koeppend Sun, 03/11/2012 - 17:54

We'll, I'm not 100% sure whats on the product path for ISE,

But I belive (and dont quote me) that the nac agent will eventually be programmed into the Anyconnect client.

So that the anyconnect client does both the 802.1x supplicant authentication and the posture assessment process.

Much like how anyconnect does it with ASA's and the host assessment process, if you have ever used this feature.

When this happens I can see a time where the NAC agent will become null and void.

Seeing Ipads and iphones have an anyconnect app out on the app store, we may see posture agent written into this app but with the limitied amout of exploits, trojans and virius which target the apple i at this stage of the Apple smartdevice timeline, I wouldnt hold your breath anytime soon.

There is nothing we really want to check on an ipad or iphone IMHO, no registry, no usable file structure (unless its JB), no real antivirus products, so my question would be why would we want to prosture check an iDevice at this stage.

Windows smart devices on the otherhand may need checking,... eg the Asus tables run a full version of Win7,... I say you would want to put these devices though posture assessment, so just use the existing nac agent and treat them like any other laptop or pc.

Dale

marioderosa2008 Fri, 05/04/2012 - 03:52

Hi Dale,

a bit late to ask this question I know, but what kind of machine cert templates did you deploy to your IPADs? Are they user certs of machine certs?

I am trying to understand the best way to deploy certs to our IPADs for Certificate authentication for wireless and VPN using the ISE.

That was, as you say, we can distinguish between a coporate IPAD and a BYOD.

thanks

Mario

koeppend Thu, 03/15/2012 - 20:23

@Jack

Wow,..really?

  • Did the device successfully authenticate via 802.1x? - ISE checks this by default, out of the box
  • Does the device contain a known MAC address? - ISE checks this by default, out of the box
  • Is there a “watermark” on the device? - just a fancy term profiling, ISE does this out of the box
  • Is the device manageable via the domain or a host-based agent (e.g. an MDM agent)? - ISE integrates natively into the 'domain', and has its own host based agent,....again, out of the box on ISE
  • Is the device running a specific process or application? - Posture assessment, works perfectly on ISE.
  • Is the device running the ForeScout Mobile app, or does it contain a ForeScout Mobile iOS policy? - Well this is a Cisco support forum, so we would probably check if Anyconnect is installed

Thx for stopping by....

Dale

aman.diwakar Tue, 03/27/2012 - 13:01

Hahaha...I love it Dale.

I do wish we could posture assess an iPAD or other mobile device. And checking to see if the anyconnect client contained a profile would be nice too.

George Stefanick Tue, 03/27/2012 - 13:07

Yea, the best we will see is when ISE is integrated with a MDM. ISE can then check the MDM and see what is going on.

aman.diwakar Tue, 03/27/2012 - 13:10

George, anyone,

Does ISE work with ASA in authenticating the user via radius and then pushing a dACL to it? I'm 80% sure it does. Also, can we confirm that the anyconnect client doe not replace the NAC Agent? the anyconnect client has its own posture module, and it doesnt work with ISE in any way, as far as I know. Just checking.

koeppend Tue, 03/27/2012 - 15:26

Aman

I was under the impression that to leverage the dACL feature, the NAD had to support the radius feature CoA change of authorization.

I was informed that the ASA does not yet support CoA.

I think you can perform simple authentication, it's just the authorization thats a little grey.

Anyconnect does not replace NAC agent.... yet.

Anyconnect does have its own posture assessment built in, but only the ASA can leverage this with the host assessment feature. That is, its not yet working with ISE and iPEPs for posture, but it does work as a 802.1x suppliant for wired and wireless connections.

Hope this helps

Dale

Sent from Cisco Technical Support iPad App

aman.diwakar Tue, 03/27/2012 - 15:40

ACS was able to push dACLs to ASA using AV way back when in 4.x days, so this hasn't changed though the CoA is not yet supported. CoA is only used in posture scenarios to move between compliant and non compliant. For just authorization after authen, a dACL can be assigned.

Sent from Cisco Technical Support iPhone App

Tarik Admani Tue, 03/27/2012 - 17:36

Aman,

Here is more information on the host scan that runs on AC3 -

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1177378

As far as deploying ASA in an ise environment  you can still acheive the same dacl configuration that you were running before. If you want to enable posture remediation on your vpn clients or profiling the you will have to deploy an ipep node which acts as another firewall for all the vpn users before their traffic enters the network. From there the traffic policies are governed by the admin node.

thanks,

Alex LP Tue, 05/08/2012 - 19:00

You could also do two static profile groups by the Mac address. I don't think it would be easier than two SSIDs but it is a way to do it with ISE.

Thanks,

Alex

Sent from Cisco Technical Support iPhone App

johncaston_2 Wed, 11/07/2012 - 19:58

Hi George,

I've just been through the same issue, when the WebAuth page appears, it is closed when the certificate install comes up and the WLAN is disconnected.

What you need to do is enable captive bypass on the WLC

from CLI or SSH type the following command

Config network web-auth captive-bypass enable
And reboot

Now you can connect to the provisioning SSID and when you open up the Web browser you will be redirected OK

Good luck

Sent from Cisco Technical Support iPad App

Actions

Login or Register to take actions

This Discussion

Posted February 29, 2012 at 5:30 PM
Stats:
Replies:16 Avg. Rating:5
Views:2791 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard