Phase 2: EAP-TEAP for BYOD
Scope
-
Personal devices connecting to corporate network
-
Contractor devices
-
Devices that cannot be domain-joined
Why EAP-TEAP for BYOD?
-
Supports certificate enrollment later
-
Password fallback during transition
-
Machine + user auth in single session
-
Better security than pure MSCHAPv2
Implementation
ISE Configuration
-
Enable EAP-TEAP in Allowed Protocols
-
Configure inner methods:
-
Primary: EAP-TLS (for devices with certs)
-
Secondary: EAP-MSCHAPv2 (fallback)
-
-
Create authorization policies with tiered access
Policy Configuration
Authentication Policy
Rule: BYOD-TEAP
Condition:
Wireless:SSID EQUALS "BYOD"
AND Network Access:EapTunnel EQUALS TEAP
Identity: AD + Internal UsersAuthorization Policies
Rule: BYOD-Cert-Full
Condition:
Network Access:EapAuthentication EQUALS EAP-TLS
Result: BYOD_Full_Access
Rule: BYOD-Password-Limited
Condition:
Network Access:EapAuthentication EQUALS EAP-MSCHAPv2
Result: BYOD_Limited_Access
- VLAN: Remediation
- ACL: Permit internet, block internal
- Redirect: Certificate enrollment portalUser Communication
Email Template
Subject: Network Access Changes - Action Required
Dear [User],
Starting [date], personal devices connecting to the corporate network
will require a security certificate for full access.
To continue with full access:
1. Connect to BYOD network
2. Complete the certificate enrollment portal
3. Reconnect with certificate
Devices without certificates will have limited access.
Questions? Contact help desk.