Showing results for 
Search instead for 
Did you mean: 

BYOD Certificate best practice?

New Contributor

BYOD Certificate best practice?

Hrm bear with me I am unsure how to best phrase this...  We recently purchased the MAG2600 and I am a bit lost and the most effective way to deal with mobile clients and certificates.  This is a fairly small shop so I'd like to keep it relatively simple.

Our original idea was to have one login url/one sign in page that requires a certificate tied to the mobile device.  That seems fine, but then we would require device certificates for anyone connecting from their home PC or using the pulse client, correct?  We ideally would like to avoid that requirement and allow more basic authentication from home desktops.

So is there a way to accomplish that? 

The only way I can see if not is creating multiple authentication realms, one for desktops and one for mobile devices and having two sign in pages to avoid forcing a user to pick the realm.  (Ideally to make this as brainless and seamless to them as possible) and locking each one down so only the intended use scenario can access each.

So I guess the big question is:  With a single authentication realm can you both enforce certificates for specific devices and NOT enforce them for others?

And if not, what is the "best" way to go about this using two different realms.  (Or perhaps we're overthinking this?)


Super Contributor

Re: BYOD Certificate best practice?

As you said, ideal way is to cretae a virtual port and map it to a hostname and create a sign in URL for the same and have the Mobile based users sign in there to that REALM.

If not, you can have AD/LADAP as authentication server for a single REALM and under REALM certificate restrictions,allow all user and enforce the restriction on a role level.

But in AD/LDAP you have to match the roles to the groups like mobile users group map to mobile users role as an example.