Organizations often want their employee to use their personal devices for work, this helps improve productivity and flexibility. However it comes at a cost of security. Its important to for network admins to have an ability to control what personal devices can connect to the network and what devices can not and for the devices that can connect to the network, how can we secure them without even engaging with them and without increasing IT overhead.
We will look at BOYD (Bring Your Own Devices) registration, certificate enrollment, onborading and management, without IT involvement.
Employees will connect their personal devices to a secure SSID called “COG_INT” using their AD credentials. Once connected to SSID they will be redirected to a provisioning portal, where they will be ask to install a client certificate from ISE acting as a CA server. After their personal devices are provisioned they will re-authenticate again using EAP-TLS automatically through COA (change of authorization). Since the device has certificate installed and has full access, device being lost or stolen can create potential vulnerability, so employees will have access to a special portal, known as mydevices portal, where they can manage their devices, mark the device as lost or stolen. All this will be done without any interference from IT. In this example we will be using Meraki Wireless network.
Configure SSID and radius parameters on Meraki dashboard
Add ISE as radius server on Meraki
Configure group policy on Meraki dashboard, in this case we are allowing full access to personal devices, but off course this can be customized as per requirements.
Configure Meraki APs as Network Access Devices on ISE.
Configure SNMP parameters as SNMP probe along with other probes will be used for profiling client devices and can be leveraged in a policy.
Enable policy set on ISE, policy set adds additional layer of policy segregation and makes policy management easier.
Integrate AD with ISE and imports user groups, in this case we are particularly concerned about group “enroll”, as users in this group will be able to register their personal devices, this group majorly consists of IT and senior management.
create authorization profile on ISE, note that authorization profile “PermitAccess” on ISE and group policy name on Meraki is same.
Create a redirect ACL on ISE for the user to be redirected to BYOD portal, this ACL gain has no relevance in Meraki as Meraki will automatically redirect all HTTPand HTTPS traffic. But if it was Cisco controller based wireless then this exact ACL name should be present on controller, and all denied traffic in this ACL will be redirected.
BOYD portal can be highly customized, for this example, we have used default built in portal.
Configure ISE policy for BYOD, in this case once used has gone through provisioning process their mac address will be populated in “RegisteredDevices” identity store and if the user has marked their device as lost or stolen, then its mac address will be populated in “Blacklist” identity store (we will see this in action during testing). Below show the ISE policy configuration.
Configure ISE to act as a CA server
Configure provisioning policy for devices to be provisioned to use EAP-TLS with Internal CA certificate template built on ISE.
Below the client provisioning policy is shown for iOS devices, but similar policy can be created for other device types as well.
At this point we are ready to test with one of test credentials. user logs in with their personal device with their AD credentials and connects to SSID.
User gets redirected to BYOD portal and is asked to enter the credential again and accept terms and conditions.
After accepting terms and conditions user goes through certificate and supplicant provisioning process.
once provisioning is complete user gets redirected to web.
At ISE we can see logs of user getting redirected first and then connecting again with full access on personal device.
In the background user mac is populated in registered device identity store.
We can also see the user has been assigned a certificate from ISE.
User can now login to mydevice portal and manage their devices
Lets say the user lost their device, they go to their device portal and mark the device as lost in that case the device will be placed in blacklist identity group, and as per our policy device in blacklist has no access. note that if the device is lost the certificate is not revoked.
Once the device is found and reinstated, the device is removed from “Blacklist” group and added back to “RegisteredDevices” group.
If the device is marked as stolen, in that case the device is placed in “Blacklist” identity group as well as the device certificate is revoked automatically. At this point device can not be reinstated and has to go through provisioning process again.
I hope you enjoyed reading it as much as I enjoyed writing it.