Re: The BYOD / Vendor WLAN - Authentication/Management -

raun.williams · ‎12-11-2011

Well, obviously this is the ultimate question right now in wireless/security/network management right, how to handle the BYOD's. Currently, I don't have ISE or the Guest Server to play with and won't until 2013 when I (regrettably) kill acs off. Until, I've been trying to come up with ways to put a wlan up that requires some type of authentication, but with minimal effort in management on the corporate side since they are not our devices. In my scenerio, I decided that the easiest would be a Web Auth style authentication. However, as we have learned through Guest Wireless, many many devices auto connect to these WLAN's taking up IP's. So, as another level of control, though not great, it would be nice if we could filter on mac-addresses for devics connecting. I think I know the answer to this, but am hoping there is something I'm not aware of, can we do this? WebAuth + MAC Filter?

To give you an idea as to how ours will work, it will be based in the DMZ and have access to the net from the front door, but will be web filtered as our corporate devices are. DNS/DHCP will come from our corporate server and the only internal access that these devices will get will be through a Citrix Netscaler.

What types of authentication and management are YOU installing/creating for your BYOD/mobile network?

Thanks,

Raun

Scott Fella · ‎12-12-2011

That is a question many of my clients face. It has come down to changing a lot of their security policies. Half of my clients will not allow other devices on the network and the other half, only domain computers are allowed.

With domain computer only, the only way to achieve this is through 802.1x and machine authentication. Now all of a sudden, executives want all their devices on the wireless too. IPads, smartphones, tablets, etc. In this situation I see companies only making exceptions for these users... They would use a separate SSID WPA2/AES PSK and would manually configure each device if these users wanted their own device on the network. So now what happens when a user looses their device or leaves the company... Now you have to change your PSK.

What we have done in the past is to use 802.1x using AD credentials and allowing only one or two authentication per username. Now you can allow users access on a separate subnet and filter to your hearts desire:) another way is to use webauth and authenticate to radius using AD credentials. This way if a user leaves you remove them from the AD group you are matching in the policy. Now if a device is missing or lost, you force the user to change his or her AD password.

The issue with ISE that didn't help us in a way is that if you wanted to allow some ipads and not allow others, there is no way of differentiating between the two unless you did something like EAP-TLS.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

raun.williams · ‎12-12-2011

Thanks for the feedback Scott. Could you go into more detail about your ISE issues? I'm actually in the middle of downloading the demo to test with my situation. My situation is the webauth, or atleast what I'm considering. I did confirm this morning that I could indeed use mac-filter with webauth, I didn't think you used to be able to do this. Though mac filtering isn't a great security option, it's more to control who can connect instead of having a lot of random clients taking up ip's like my guest network. The PSK option is out for me. I have that on our corporate networks currently and hate it for the exact reason you mentioned, it's just not feesable for security management, especially when your talking hundreds(x6) of clients. In the process of gather my requirements for EAP-TLS to start moving that way, but that's a long road as well. My problem with other EAP methods, such as relying user/pass, for the corporate network is a weak password policy... If you can't get administration to go along with that, then your options are limited in my opinion. Back to the BYOD side, I would be interested ot hear more about your ISE experience. Though I have yet to play with it myself, can you tell me if the Wireless license is really intended for wireless network, or more service provider oriented feature set from a customer/integrator standpoint?

Thanks again,

Raun

Scott Fella · ‎12-12-2011

I have been just playing around with this in a lab environment. I wish I had more info, but I don't. I did have a client that wanted to use PEAP username and password and only wanted certain iPads on the network and didn't want some users bring in their iPads and connect using their username and password. We were not able to accomplish that with ISE.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎12-12-2011

Scott, what if you pushed a cert to the company ipad ? ISE could see the difference.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎12-12-2011

Yes it would, but I was told you would need to use that certificate for authentication or else how would ISE know about the cert. I did ask the question and my client did have certificates on their ipads, but i was told that there was no way for ISE to know about this certificate This is what I was told.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

SHANNON WYATT · ‎12-16-2011

What I've done for a few customers is used a single SSID and for the AD PCs I use EAP-TLS and place them on an inside network. For the Ipads we use PEAP and dynamically place them in another VLAN, usually in a DMZ.

Stephen Rodriguez · ‎12-16-2011

Raun,

yeah, this is a HUGE question today. While you can do a MAC filter with webauth, that is a lot of overhead to maintain that list, and if you are only using the WLC for the filter you have a limit of the number of devices you list.

So what you could do, is create a WPA2/AES WLAN with a PSK. Give the key to your receptionist/lobby ambassador. When a guest checks in, he/she can give them the key. Then once or twice a month, you change the PSK and update the LA with the new key.

You get a manageable security feature, by rotating the key you keep some people out, and you gain a bit of control as they need to talk to the LA to get the PSK in the first place.

You could even double this up with web-auth, and create the lobby admin account for the LA to add a username/pass for that extra bit of security.

The nice thing here, is as you are using ACS, you can use the webauth to keep your internal users from getting on the guest access by configuring NAR.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

SHANNON WYATT · ‎12-16-2011

Don't mess with MAC filtering. Mac-filtering is not secure and gives the impression of security. Things that give you a warm feeling all over but don't do anything for security are a waste of time. As Steve said you can use WPA and web-auth, but if you are going to use web-auth you may as well have them connect to the secure network but place them in the DMZ or where ever you terminate the guest SSID. While this seems more complicated for the end user it is actually easier. They provision their device once for your network and as long as the password doesn't change they do not have to actively authenticate again. If they are short term guest web auth is probably a better way to go.