Cisco Support Community
Community Member

Is PKI a must for BYoD?

Hi All,

All of the recommended design (single SSID, Dual SSID) for BYOD requires PKI infrastructure for providing the certificate for the employee's personal devices. I understand how this works.

But my question is, can't we have a BYOD solution without PKI? What if my current organization is not using PKI and wanted to have BYOD solution?

Why all the BYOD design documents talk about EAP-TLS as the authentication method for BYOD devices? Can't we have any other (non certificate based) authentication for BYOD?

I would appreciate if anyone can throw some light around this.

Thanks in advance.


Community Member

Is PKI a must for BYoD?

EAP-TLS is a strong authentication method requiring server and client-based X.509 certificates that also need PKI for certificate deployment. Another strong authentication method EAP-FAST does not require X.509 certificates for mutual authentication, instead Protected Access Credential (PAC) files are used. PAC files can be provisioned either manually or automatically. In this document, the PAC files are automatically provisioned from the ISE server to the client if the client does not contain as existing PAC file. Anonymous PAC provisioning uses EAP-TLS with a Diffe Hellman Key Agreement protocol to establish a secure TLS tunnel. In addition, MSCHAPv2 is used to authenticate the client and prevent early MITM attack detection. Authenticated In-Band PAC provisioning uses TLS server-side authentication, requiring server certificates for establishing the secure tunnel. Unauthenticated PAC provisioning does not require server side validation, and thus has some security risks, such as allowing rogue authentications to mount a dictionary attack. In this document the NAM configuration profile will be configured for unauthenticated PAC provisioning for testing purposes only.

How you would be

How you would be differentiating a corporate device and Non corporate device? A machine cert right?How would you be issuing client cert ?

Cisco Employee

PKI is nice but not a must.

PKI is nice but not a must. As the previous two users mentioned, you can use other authentication methods. PEAP with MS-CHAPv2 would probably be the easiest one. Keep in mind though that EAP-TLS with digital certificates would be the most secure method. Thus, if you don't have a PKI environment then you can either wait for ISE v1.3 or look for a third party solution such as Symantec.


Thank you for rating helpful posts! 

CreatePlease to create content