INTRODUCTION

Organizations often want their employee to use their personal devices for work, this helps improve productivity and flexibility. However it comes at a cost of security. Its important to for network admins to have an ability to control what personal devices can connect to the network and what devices can not and for the devices that can connect to the network, how can we secure them without even engaging with them and without increasing IT overhead.

CONCEPT

We will look at BOYD (Bring Your Own Devices) registration, certificate enrollment,  onborading and management, without IT involvement.

Employees will connect their personal devices to a secure SSID called “COG_INT” using their AD credentials. Once connected to SSID they will be redirected to a provisioning portal, where they will be ask to install a client certificate from ISE acting as a CA server. After their personal devices are provisioned they will re-authenticate again using EAP-TLS automatically through COA (change of authorization). Since the device has certificate installed and has full access, device being lost or stolen can create potential vulnerability, so employees will have access to a special portal, known as mydevices portal, where they can manage their devices, mark the device as lost or stolen. All this will be done without any interference from IT. In this example we will be using Meraki Wireless network.

CONFIGURATION

Configure SSID and radius parameters on Meraki dashboard

Byod with ISE-1

Add ISE as radius server on MerakiByod with ISE-2

Configure group policy on Meraki dashboard, in this case we are allowing full access to personal devices, but off course this can be customized as per requirements.

Byod with ISE-3

Configure Meraki APs as Network Access Devices on ISE.

Byod with ISE-4Byod with ISE-5

Configure SNMP parameters as SNMP probe along with other probes will be used for profiling client devices and can be leveraged in a policy.Byod with ISE-6Byod with ISE-7Byod with ISE-8

Enable policy set on ISE, policy set adds additional layer of policy segregation and makes policy management easier.

Byod with ISE-9

Integrate AD with ISE and imports user groups, in this case we are particularly concerned about group “enroll”, as users in this group will be able to register their personal devices, this group majorly consists of IT and senior management.

Byod with ISE-10Byod with ISE-11

create authorization profile on ISE, note that authorization profile “PermitAccess” on ISE and group policy name on Meraki is same.

Byod with ISE-12

Create a redirect ACL on ISE for the user to be redirected to BYOD portal, this ACL gain has no relevance in Meraki as Meraki will automatically redirect all HTTPand HTTPS traffic. But if it was Cisco controller based wireless then this exact ACL name should be present on controller, and all denied traffic in this ACL will be redirected.

Byod with ISE-13

BOYD portal can be highly customized, for this example, we have used default built in portal.

Byod with ISE-14

Configure ISE policy for BYOD, in this case once used has gone through provisioning process their mac address will be populated in “RegisteredDevices” identity store and if the user has marked their device as lost or stolen, then its mac address will be populated in “Blacklist” identity store (we will see this in action during testing). Below show the ISE policy configuration.Byod with ISE-15

Configure ISE to act as a CA server

Byod with ISE-19Byod with ISE-20Byod with ISE-21Byod with ISE-22

Configure provisioning policy for devices to be provisioned to use EAP-TLS with Internal CA certificate template built on ISE.

Byod with ISE-16

Below the client provisioning policy is shown for iOS devices, but similar policy can be created for other device types as well.

Byod with ISE-18

TESTING

At this point we are ready to test with one of test credentials. user logs in with their personal device with their AD credentials and connects to SSID.

Byod with ISE-23

User gets redirected to BYOD portal and is asked to enter the credential again and accept terms and conditions.

Byod with ISE-24

After accepting terms and conditions user goes through certificate and supplicant provisioning process.Byod with ISE-25Byod with ISE-26

once provisioning is complete user gets redirected to web.

Byod with ISE-27

At ISE we can see logs of user getting redirected first and then connecting again with full access on personal device.

Byod with ISE-28In the background user mac is populated in registered device identity store.

Byod with ISE-29

We can also see the user has been assigned a certificate from ISE.

Byod with ISE-30

User can now login to mydevice portal and manage their devices

Byod with ISE-31

 

Lets say the user lost their device, they go to their device portal and mark the device as lost in that case the device will be placed in blacklist identity group, and as per our policy device in blacklist has no access. note that if the device is lost the certificate is not revoked.Byod with ISE-32Byod with ISE-33

 

Once the device is found and reinstated, the device is removed from “Blacklist” group and added back to “RegisteredDevices” group.Byod with ISE-34Byod with ISE-35Byod with ISE-36

 

If the device is marked as stolen, in that case the device is placed in “Blacklist” identity group as well as the device certificate is revoked automatically. At this point device can not be reinstated and has to go through provisioning process again.Byod with ISE-37Byod with ISE-38Byod with ISE-39

I hope you enjoyed reading it as much as I enjoyed writing it.