ISE - What happens when the on-boarded certificate expires?

I'm trying to design a good BYOD deployment model but have a few questions that need direct answers.  I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways.  My questions come from a design perspective before and after the BYOD deployment is completed.
1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
     (I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
     a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
     b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
     c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
     d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
     e. Other options I have not thought about, would love input from the crowd
2. What happens to the device once the Certificate expires?
     (I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
     a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
     b. Use MDM for Cert management (may not have one)
     c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
Would appreciate some feed back and would like to know if anyone has run into these issues.                   

Neno,
Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI.  I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding.  This way you can use your private CA for EAP and a public CA for web traffic.  Have you tried a public CA bound to management and a private CA for EAP yet?
I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2.  EAP-FASTv2 is available now but you must use anyconnect as your supplicant.  Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP.  It will support TLS, MD5, and CHAPv2.  If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work.  This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
I currently do machine and user auth I just don't require them.  If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah.  Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly.  Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy.  I won't go into anymore detail, but there is lots you can do.

Similar Messages

  • What happens when the Apple Configurator Certs Expire?

    So I was looking at some iPads I deployed sometime ago using Apple Configurator.  Last summer I brough them all in (about 220 units,) wiped them, used configurator to install iOS 5.1, all supervised, and named according to the Teacher they were given out to.  Haven't seen the iPads since.  Last few weeks I've had a few come back with misc problems and I noticed within the Supervision Profile the "Signing Certificate" and "Certificate" for Apple Configurator both expire on August 13, 2013.  What will happen on/after August 13, 2013 with these units? 

    From another site, I got a tip that if you use Keychain Access, double click on the AppleConfigurator (MAC address of machine) entry (it'll have a red X badge & the date it expired), open up the Trust disclosure triangle and set "When using this certificate"t o Always Trust. The red X badge changes to a blue + badge.

  • I downloaded Photoshop CC 2014. So what happens when the 30 day trial expires?

    It's Windows 8.1 32 bit.

    At the end of the 30 days the app will still be on screen, and will be opened at the same times (e.g. when you double click on PSD). It will not run, except to ask you to subscribe. Most people at that time either subscribe or uninstall, as what is left is neither use nor ornament,.

  • I have both the 250 gb high performance hard drive and a 1 ter byte hard drive.  What happens when the 250 gb hardrive is full?

    I have both the 250 gb high performance hard drive and a 1 ter byte hard drive.  What happens when the 250 gb hardrive is full? This on Imac desktop

    Never let a drive get more than 80% to 85% full.
    AND keep 50-100 GB of free space on a startup drive to allow proper function of virtual memory in all OS X versions from 10.5x to current versions.
    10.4x can get by with 20 GB of free space on the boot drive, but more is always better.
    I try and keep all boot drives between 50 and 60% of capacity.
    Beyond 60% and up to 90% capacity, seek times increase almost exponentially; performance suffers.

  • Lost my iPod, remotely locked it through iCloud. What happens when the battery goes out?

    Hello!
    I lost my Ipod, but managed to locate and lock it remotely through Find my iPod and iCloud. It was located once, but hasn't been located again in the last four days. I think the battery may have run out. What happens when the battery is charged and the iPod turned back on? Does the lock and everything else that can be controlled with Find my iPod still apply?
    Thank you!

    Yes, because when you remotely lock the iPod via Find my iPod, the lock code is set as the lock code that you would use to unlock the iPod if you used a passcode normally. As long as the iPod is still connected to your Apple ID, Find my iPod should work as log as the iPod is connected to wifi.

  • What happens when the multiply effect is applied to both the object and the graphic within?

    Hi everyone,
    I could really use some help with this...
    I'm getting a booklet ready to be printed. Originally, half of the pages were to be printed on paper with a (physical) colour. For budget reasons however, I've now decided to print the paper colour, and have the content of the pages overprinted on the tint in the background, which I've applied to the pages in the background of an additional master page.
    When I set the objects to multiply, they blend with the background colour, which is the effect I'm looking for, as there would be no 'paper white' on the pages that I want to appear as though printed on coloured paper.
    There's something confusing me though; you can also set the graphic within the object frame to multiply. This makes the graphic appear darker, which I don't really understand, since there is no extra colour within the graphic that accounts for this. I've looked at the output in the resulting pdf, and it looks like it's not just an on-screen effect, but the extra amount of (in this case) yellow would also be visible in the printed result.
    Does anyone have an explanation for this? Please see the graphic for a visual example.
    Thanks in advance, kind regards
    Robbin

    Hi.
              Yes. There is a heartbeat mechanism between all cluster members so they detect when a
              member has left the cluster. The primary server recognizes when it's secondary server
              has failed, and then proceeds to search for another member of the cluster to make as
              it's new secondary.
              Regards,
              Michael
              David Whitehouse wrote:
              > I'm trying to figure out what happens when the server holding the replicated state
              > for an object fails.
              > Does the server with the primary object (or the replica-aware stub) recognize
              > the failure and select a new
              > server to hold the replicated state?
              >
              > For instance, Assume I have a cluster defined with three servers - 1,2,3 - with
              > an instance of object A on server 1
              > and the replicated state ino on server 2. What happens if server 2 fails? Is the
              > state now replicated to server 3?
              >
              > Thanks, David
              Michael Young
              Developer Relations Engineer
              BEA Support
              

  • What happens when the Time Machine drive is full?

    I'm on my second iMac. My first one (G5, 1984) died, and I replaced it early 2010 with an Intel mac. The transition when exceedingly well largely due to Time Machine. I just hooked the Time Machine drive to the new system, and I was soon back up running!
    My home folder has 70GB of data. The Macintosh drive has 105GB of data and 395GB free. The Time Machine drive has 220GB used and 30GB free.
    1. What happens when the Time Machine drive is full?
    2. Do I have control over what backups get deleted?
    3. If lightning strikes twice, will I still be able to restore my Intel mac like my G5 mac, even if backups get deleted?
    4. Is there anyway to control what backups/backup files get deleted?
    5. Any other thoughts?
    Thanks.

    maxseven wrote:
    i have deleted the time machine folders and they are now in my trash. when i try to secure empty my trash it will delete everything but the t/m folders. how do i delete them?
    Do you mean all of them? The entire Backups.backupdb folder?
    That's a large mess. First, even a normal delete will take a very long time, as there are probably hundreds of thousands, or even millions, of files. Your best bet by far is to simply erase them with Disk Utility -- that will only take a few moments. If your TM drive has a single partition, see #1 in [Formatting, Partitioning, Verifying, and Repairing Disks|http://web.me.com/pondini/AppleTips/DU.html]. If there are other partition(s) on the drive, see #2 there.
    If not, and you only deleted some of the folders, you have a different, worse problem. Unfortunately, Apple doesn't do a very good job of warning folks: +*Never move, change, or delete anything in your backups via the Finder or Terminal.+*
    You shouldn't have to delete backups at all, since Time Machine will do that automatically when the disk/partition gets full. But you can do it without harm via Time Machine. See #12 in [Time Machine - Frequently Asked Questions|http://web.me.com/pondini/Time_Machine/FAQ.html] (or use the link in *User Tips* at the top of this forum).
    A normal delete will take a very long time, as there are probably tens or hundreds of thousands of items, each of which must be individually deleted. A secure delete will take much, much longer, as each deleted file must be overwritten with zeros.

  • What happens when the CC trial ends? What happens when offline?

    I need Lightroom to work offline on my laptop. What happens if I need to sign in to CC when there is no interned connection and what happens when the CC trial ends on both my laptop and desktop?

    Thanks for answering. I have the standalone version of Lightroom 6 on my Windows 7 64 bit desktop. A number of times when have tried to open the program, the Adobe Application Manager has popped up requiring me to sign in even though I had not knowingly signed out. Lightroom will not launch unless I am signed in. Frequently when Lightroom launches, I see a "Server Busy" message telling me to "switch to the other program" without telling me which program to switch to. I have pinned the AAM to my notification area and have unchecked the "Show OS Notifications box" to see if the "Server Busy" message goes away. So far everything seems to be okay
    Again, thanks for answering me

  • What happens when the iphone app won't open on iphone 4?

    what happens when the phone does not open and automatically shuts down the phone?

    Basic troubleshooting from the User's Guide is reset, restart, restore (first from backup then as new).  Try each of these in order until the issue is resolved.

  • TS3694 What happens when the iPhone needs an activation and it doesn't respond? Then it asks me to restore it but due to an unknown error (-1) the iPhone can't be restored.

    What happens when the iPhone needs an activation and it doesn't respond? Then it asks me to restore it but due to an unknown error (-1) the iPhone can't be restored.

    Thank you for your response. However, I have done that plenty of times and each time I try to restore my phone, it extracts the software and then when it says restoring with the loading bar, an error message comes up saying an unknown error has occurred.

  • My iPOD classic (last generation) shuts off when jostled--like what happens when the headphones come out.  Any fix for this?

    My iPOD class (last generation) shuts off when jostled--like what
    happens when the headphones come out.  Is there any fix for this?

    I finally resolved my problem after spending way too much time on it. I simply handed my 160GB iPod to my husband to put his fav Stones & Beatles songs on and I went back to my 80GB Microsoft Zune which has never disappointed me.
    After spending so much time trying to figure this out I did finally take it back to Apple Store who performed a diagnostic and found there was a problem with the device. They replaced it with a refurbished one which has similar issues. All I wanted to do was listen to my music. Was that too much to ask? So I am happy to be free of this problematic device. No more Apple for me!!

  • What happens when the computer get too full of e-mails?  Will it automatically start deleting ... or give you some kind of warning??  I never delete personal mail right away since I might want to refer back to it, and then the first thing I know, I've got

    What happens when the computer get too full of e-mails?  Will it automatically start deleting ... or give you some kind of warning??  I never delete personal mail right away since I might want to refer back to it, and then the first thing I know, I've got a big backlog. 

    It will not automatically delete any emails; you will need to do that. You may suffer performance  issues in Mail  if you let your mailboxes become too bloated. And, aside from Mail, the files take up a lot of room are photos, videos, and music, so you might want to watch those - every once in a while, check how much hard drive space you have and make sure you empty the trash regularly. Checking your hard drive space: highlight your Macintosh HD icon on the desktop; hit Command  + I and check the total capacity, and how much is left.

  • What happen when the bill from buying iPad is missing do they need it if something happen to iPad or not... (urgent)

    What happen when the bill/warranty is missing...do they need it

    Where did you buy the iPad? (What store, and was it in person or online?)
    Matt

  • I want to know what happens when the iphone heats up by itself? Do i need to bring it in?

    i want to know what happens when the iphone heats up by itself? Do i need to bring it in?

    Basic troubleshooting is covered in the User's Guide, you should read and follow the steps provided.

  • What happens when Skype for business evaluation expires?

    I am testing Skype for business within my company before actually rolling out teh Skype for Business for all. I am using Skype for business evaluation version to test the features and/or and impact it would have on Lync 2013 existing users. I need to know
    what happens when the skype for business evaluation patch expires on 1st May 2015, what will the users see? will it switch back to Lync 2013 on its own or do I need to uninstal the package to do so?
    Best Regards,
    Ketan Tank 
    +91 9881728161
    [email protected]

    Hi Ketan Tank,
    Agree with Anthony, you can get the updates (KB2889923 & KB2889853) through Windows Update.
    The Skype for Business Client will already be activated as it is an update to an existing licensed product.
    Best regards,
    Eric
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Maybe you are looking for

  • ITouch not recognized by Windows, iTunes

    My iTouch is functioning fine, but I can't connect it to iTunes. I have gone through the FAQ: http://discussions.apple.com/ann.jspa?annID=774 but still am having no luck. I have had this iTouch syncing with previous versions of iTunes (currently I ha

  • Writing to large file takes an increasing​ly long time.

    We are acquiring a large amount of data and streaming it to disk.  We have noticed that when the file gets to be a certain size it takes an increasingly longer time to complete the write operation.  Of course, this means that during these times our D

  • TOP n sometimes gives wrong number of lines (SSRS 2008 SP1)

    Hello all, a workmate has created a dashboard report which contains (among other items) a top n chart item. The user can select the value of n using a report parameter. We have observered that for some values of n and specific values of the other par

  • Error on executing fpclose.vi when using FP-1000 and two FP-TC-120 modules

    I have an error occuring in my LabVIEW program when closing the Field Point connections. I am using LV8.5 and im connecting to a FP-1000 controller (RS-232 native port) which connects to two FP-TC-120 modules, under XP. The error i get is 'Error 3358

  • How to specify a custom User-Agent for an HTTPService call?

    I'm trying to have HTTPService send a custom User-Agent string in the request headers but it seems to ignore the header="" method. Is there any documentation on how to do this? Or would I have to use URLRequest instead?