topic ISE BYOD/MDM integration in Network Access Control

ISE BYOD/MDM integration

iagyte — Mon, 11 Mar 2019 08:47:30 GMT

A partner is having issues with iPhone and BYOD (not an issue with ISE), the Client Provisioning no longer provides a good user experience and as a result now are looking for an alternative to provide EAP-TLS based authentication for employee personal devices.

Partner thoughts are to use an MDM (the customer is using XenMobile) to push a certificate to the device, whether it by iPhone or Android. The partner would prefer to use ISE to issue the certificate.

The question is, can ISE be used as a SCEP server to issue certificates to the BYOD devices with the request originating from the MDM server?

I’m assuming when the user registers to the MDM, ISE can be used to authenticate the request and once the certificate is issued, ISE can authenticate against the certificate?

Re: ISE BYOD/MDM integration

Francesco Molino — Wed, 01 Aug 2018 03:05:13 GMT

Hi Iagyte

Yes ISE can act as scep server if it has configured as CA authority.
When you activate the internal CA, on the latest column, you'll get the scep url.
I've never tested it this way sourcing the request by MDM, but you can test it and let us know.
I've implemented it using ASA/anyconnect as source request and it works well.

Re: ISE BYOD/MDM integration

Jason Kunst — Wed, 01 Aug 2018 11:10:54 GMT

Why? If the MDM can do the work this is the requested approach

Otherwise the experience will be the same and with more pieces to break

The on boarding process is basically the same. It’s just that if you don’t have well known certificate on your ISE nodes you will have a bad experience

Re: ISE BYOD/MDM integration

Francesco Molino — Wed, 01 Aug 2018 21:55:27 GMT

I'm not sure I get you. Maybe I misspelled something.
Your onboarding process will be done on your MDM but the certificate authority will be ISE and ISE can act as scep server. This was your question, isn't it?

Re: ISE BYOD/MDM integration

Jason Kunst — Thu, 02 Aug 2018 02:40:21 GMT

If you’re mdm is a certificate authority then all provisioning and on-boarding should go through the mdm app. This is the best user experience and least complex path. That’s what the mdm is designed for. It will be all contained

Although you might be able to somehow point ISE to the mdm CA and provision that way. It’s not recommended and tested. This way you’re increasing complexity and making the on-boarding process more difficult

Re: ISE BYOD/MDM integration

Francesco Molino — Thu, 02 Aug 2018 03:08:13 GMT

Ok now i get you. Yes the mdm on boarding is the best user experience. However the question was to know if ise can be scep server.
You can onboard the device through mdm but the certificate authority can be ise or anything else, it won't change the user experience. It's just something happening behind the scene.

Re: ISE BYOD/MDM integration

Jason Kunst — Thu, 02 Aug 2018 11:30:36 GMT

That’s incorrect. If ISE is the SCEP server then the client needs to use ISE BYOD onboarding as the app has no way Ron control this and ISE only talks to endpoint using the NSP wizard or Apple iOS OTA flow. Don’t do this it’s not supported. It doesn’t make sense or is practical to point ISE at the MDM CA

Re: ISE BYOD/MDM integration

Francesco Molino — Sat, 04 Aug 2018 03:31:07 GMT

I didn't say it will work.
I said ise can act as scep server to get certificates from it like you can do for anyconnect users. For some users it doesn't work.
I said he can try and if that works then fine but i agree that this isn't the best way to do it.