Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Case Studies

Global Insurance Leader Gains Network Visibility Advantage via Digital Certificates

BYOD
Google
Meraki
PKI
SMB
Wi-Fi
Case Study Hero BG

Deployment Timeline

The company evaluated a number of different options to implement a certificate solution. To start, they considered propping up their own PKI to have full control over the certificate solution. But further research deterred them as their complex device environment would make the process exceedingly difficult to set up and manage over time.

They contemplated setting up Windows NPS and a CA supported through Active Directory, but the diversity of their managed devices continued to be a hurdle. This setup would require a ton of additional resources and effort to integrate with Jamf and Chromebooks, so the suggestion was promptly set aside.

Lastly, they evaluated open-source certificate options that they could customize to meet their network requirements. But this would require their IT staff to write their own extensions to accommodate their needs. The amount of manual work and maintenance over time discouraged this choice.

SecureW2 met the companies’ criteria and had a solution capable of integrating every device type. Their Cloud-based PKI and RADIUS server can be easily integrated and configured to deliver certificates within hours. Using SCEP and WSTEP API Gateways, they could deliver certificates to managed devices with no interaction from the end-user. And those certificates are securely authenticated using EAP-TLS, the strongest authentication method available.

After just a few hours of setups, the company had certificates deployed to all of their managed devices and no longer has to deal with password-related issues.

Challenges

The primary issue for the IT staff that incited their search was the issues they experienced with their Meraki authentication process. During authentication, they would have to use a device agent to check in and confirm whether a connecting device was one of theirs and was allowed network access.

The process was inefficient and influenced a switch to Mist Systems, but this still was not a sufficient solution. Mist provided a more reliable method of determining who is connected to the secure network with little effort from IT and a more organized place to read network data.

But the authentication method lacked the security the team required. Once a device is connected to the network after entering a valid set of credentials, they could check for the Meraki agent and confirm that it is an approved network device. Regardless of whether the user had a valid credential set, they wanted to confirm the device identity before they connected to the network.

Quote Left Icon
We wanted the ability to tell whether a connected device was still managed by us. At that point, a network partner recommended we use certificates.
SABA, SENIOR INFRASTRUCTURE ENGINEER

The certificate solution had to support their diverse array of managed devices. Their device environment was split between approximately 400 MacBooks, 150 Windows laptops, and 200 Chromebooks. They had two separate device management consoles and wanted a solution that could combine them all.

Solutions

radius server ios authentication

When searching for a new authentication solution, a network partner of the company recommended they research certificate-based authentication. They quickly concluded that certificates could be the exact authentication solution they sought.

Certificates would allow each device to be easily identifiable because certificates are tied to the identity of the device and cannot be removed unless by the network admin. Managed devices equipped with certificates could be identified as approved devices before being granted secure access. They began searching for a PKI and RADIUS solution.

SecureW2’s certificate solution was quickly implemented. Once the details of the setup were complete, the company began transferring all users away from the old SSID and into the new network. Immediately the IT team experienced an increase in efficiency.

When authenticating with credentials, it’s necessary to implement a password reset policy to help counteract some of the glaring weaknesses of passwords. When every user has to reset every network device, there are bound to be a number of connection errors. The company experienced this regularly, and many of their support tickets were password-reset-related.

By replacing passwords with certificates, the company has experienced a marked decrease in support ticket requests. While it’s been a bonus for users to not replace passwords or enter them to be authenticated, the largest benefit has been the time saved for IT.

Quote Left Icon
Once we moved to certificates, we really didn’t have any issues. Implementation of SecureW2 was a thorough process.
SABA, SENIOR INFRASTRUCTURE ENGINEER

Evaluating Success

Overall, the deployment of certificates for managed device authentication has been a success. The company has equipped every managed device on its network with a certificate.

Additionally, communications with SecureW2’s Support team during the setup process simplified everything. They were able to follow thorough documentation from Support, and any issue they encountered was addressed by the same support person each time.

As the company continues to grow and move forward, they have begun evaluating other potential uses for certificates. With the increase in employees working from home, VPN authentication using certificates has become an attractive future project. A road they may consider taking would allow users to authenticate to VPN always in a large SSO-type solution.

SecureW2 will be there to support and provide dynamic certificate solutions for any future projects.