topic Re: Using ISE CA as SCEP Client to an MDM in Network Access Control

Using ISE CA as SCEP Client to an MDM

nspasov — Fri, 12 Jan 2018 02:43:20 GMT

I have a customer that has the following BYOD requirements:

They want all BYOD on-boarding and provisioning to be performed by the MDM
They do not have an in-house CA and as a result, they want to use ISE's CA
They want the MDM to instruct the BYODs to utilize SCEP and reach out to ISE for certificate provisioning

Is this possible? According to ISE's documentation, SCEP can be used for device on-boarding when coming from VPN but what about from when going through an MDM?

Thank you!

Neno

Re: Using ISE CA as SCEP Client to an MDM

hslai — Fri, 12 Jan 2018 15:26:56 GMT

I think it possible but our teams are not testing such use cases. I would suggest you going ahead and trying it. Else, you may use the regular ISE BYOD flow.

Re: Using ISE CA as SCEP Client to an MDM

Jason Kunst — Fri, 12 Jan 2018 15:32:27 GMT

Why isn’t the customer using MDM to push the cert to the clients?

Re: Using ISE CA as SCEP Client to an MDM

nspasov — Sat, 13 Jan 2018 02:31:23 GMT

We are in early pre-sales stage so there is no way to test it. I also don't have access to an MDM, otherwise I would definitely test it Perhaps, I can suggest a POV and go from there.

I did mention the BYOD flow that exist in ISE but they are pretty firm on using the MDM for everything.

Re: Using ISE CA as SCEP Client to an MDM

nspasov — Sat, 13 Jan 2018 02:32:44 GMT

Hi Jason-

Is it possible for the MDM to utilize SCEP and request the certificate from the ISE CA on behalf of the endpoint?

Re: Using ISE CA as SCEP Client to an MDM

Jason Kunst — Sat, 13 Jan 2018 03:38:35 GMT

I don’t think that’s a good solution

The customer stated they wanted to use mdm for everything, I agree if you have an mdm you should use its on CA to issue the certificates to the endpoints. MDM is meant to do all this

Even though ISE can do byod that doesn’t mean you need to and having ISE request a cert from mdm via byod is not a good idea, you’re just complicating things unnecessarily

I don’t see the use case and why you need to do this

Re: Using ISE CA as SCEP Client to an MDM

nspasov — Thu, 18 Jan 2018 07:16:03 GMT

Thank you for the helpful feedback Jason!

Neno

Re: Using ISE CA as SCEP Client to an MDM

Greg Gibbs — Tue, 11 Dec 2018 22:16:47 GMT

Hi Jason / Hsing,

I have a similar customer engagement in which they want to leverage their existing MDMs (JAMF for Mac, Airwatch for non-Mac) to provision the endpoints for EAP-TLS.

The MDM will own the provisioning flow, but they want to proxy the cert enrollment to the ISE CA so that ISE owns/manages the certificate.

Have we done any testing of this type of SCEP flow with external MDMs? Do we have systems in the BU labs to validate if this will work?

@Jason Kunst, @hslai

Re: Using ISE CA as SCEP Client to an MDM

Surendra — Wed, 12 Dec 2018 02:46:52 GMT

Though ISE has an internal CA, it doesn’t support SCEP from the outside network. When a PSN gets a CSR from say a Network Setup Assistant, it is proxied internally to the internal CA server and gets the certificate signed. AFAIK, there is no other to send SCEP calls to the internal CA.

Having said that, check if any of those vendors support redirecting the users to the certificate provisioning portal of the ISE for the users to generate a certificate for themselves.

Re: Using ISE CA as SCEP Client to an MDM

Jason Kunst — Wed, 12 Dec 2018 03:00:14 GMT

As hsing stated before it’s not a tested solution. This testing hasn’t been done. I agree it might make some sense but is it worth the effort and complexity? What’s the issues of having MDM manage it? I would suggest working with the PMs to see if it might be a possibility in the future with justification

Re: Using ISE CA as SCEP Client to an MDM

Greg Gibbs — Wed, 12 Dec 2018 22:52:33 GMT

Thanks Jason. I think the issue with having the MDM manage it is that the MDM does not have a built-in CA, and the customer does not have an established SCEP service on their enterprise PKI.

I've looked at a few options at using the Certificate Provisioning Portal in ISE to allow the user to manually provision their cert, but that doesn't configure the supplicant to allow them to connect to the dot1x SSID.

The only way I can think of to get this working would be to force the user through the standard ISE BYOD flow and use the NSP to enroll the certificate and configure the supplicant, then redirect the user to the MDM after to do that side of the provisioning.

I know this is documented and validated for AirWatch, but do we know if this has been tested with Casper/JAMF?

Re: Using ISE CA as SCEP Client to an MDM

Jason Kunst — Wed, 12 Dec 2018 22:57:52 GMT

If the MDM doesn’t have a CA then how would you expect the service to work with an MDM APP onboarding and configuring the supplicant?

They would need to do BYOD and then MDM flow for a supported design as called out in BYOD guide
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

we don’t validate all the different vendors please check for associated vendor site for their documentation.

Re: Using ISE CA as SCEP Client to an MDM

Greg Gibbs — Thu, 13 Dec 2018 21:56:08 GMT

Thanks Jason. After looking at some options with using self-signed certs from AirWatch, we found that the customer does actually have ADCS infrastructure that already integrates with AirWatch via DCOM (rather than SCEP). I've convinced the customer that, since the Apple devices are locked down by DEP initially, letting AirWatch provision the endpoints would be a much better and simpler method than trying to force the endpoint through the ISE Provisioning flow.

Re: Using ISE CA as SCEP Client to an MDM

Jason Kunst — Thu, 13 Dec 2018 22:03:07 GMT

Yes you’re correct ☺

Re: Using ISE CA as SCEP Client to an MDM

howon — Fri, 14 Dec 2018 22:22:40 GMT

It can work. ASA/AnyConnect SCEP flow is an example where ASA is doing SCEP proxy on behalf of the AnyConnect client. For ISE to permit SCEP/SCEP proxy ISE needs to have a endpoint session or the IP needs to be in the network device group. You can try adding whatever source IP (RADIUS key can be anything as it will not be utilized) that SCEP from MDM will be coming from as NAD on ISE and try the flow. Obviously will be harder to test if this is cloud based MDM, but should be doable if on prem or private cloud. Just to be clear, this is the case where just because it works, doesn't mean it is supported.