I do a lot of customer site install these days. There are varying levels of infrastructure at all of them so here is a solution I ran into recently.
Needs:
ISE authentication for Wired Domain Joined PC
ISE authentication for Wired Non-Domain Joined (printers)
ISE authentication for Wireless Domain Joined PC
ISE authentication for Wireless Non-Domain Joined (ipad, iphone, scan gun)
Most of this is straight forward.
For starters they wanted to use Certificate authentication. This worked great for all of the domain joined PCs, wired and wireless alike. I simply allowed EAP-TLS connections only for each and used computer based authentication with a machine cert validation. I pushed out the machine certs with a GPO and did the roll out the following week. Piece of cake.
MAB was an easy solution for all of the printers, scanners, and misc devices in the manufacturing/warehouse areas.
The issue came in when they wanted secure access via their iPads. Had these devices been domain joined it would have been simple. Issue them a machine cert. Alternately I could have used NDES to join the iPads (but they're running windows server 2008 standard... Not NDES). A third option would be to manually generate certs for each device (not an option, too many and spread out across the country).
My solution was to add all users that needed WiFi via iPads into an AD group. I then profiled all apple devices joining the network and created an identity group mapping.
My policy was simple and just required that after a cert failure, check to see if the devices has been profile as an apple-device and that the user is a member of the ipadUser group. Not as secure as certificates or checking for domain joined machines, but a lot better than just allow all devices coming and going onto the corp-WiFi.
