topic Re: Deploy Certs with MDM for ISE device authenication in Network Access Control

Deploy Certs with MDM for ISE device authenication

DAVID — Wed, 29 Jan 2025 21:28:23 GMT

We use Ivanti neurons to manage our Apple devices. We would like to configure these devices so that they can use 802.1 EAP auth to authenticate to the network through ISE 3.3 acting as the RADIUS server. My question is this? Is the certificate CSR generated by the MDM and signed by DIGI then I import this cert into the ISE Trusted Certificates and the MDM will deploy the certs to the Apple devices so that the user does not have to "Trust" the certificate when connecting. Or, is the CSR generated by ISE to be signed by CA and imported into Trusted Certs and deployed to devices by MDM??

Re: Deploy Certs with MDM for ISE device authenication

Flavio Miranda — Wed, 29 Jan 2025 22:23:35 GMT

@DAVID

Create CSR on ISE, signed by Certificate authority, import the signed certificate in ISE.

MDM is responsible for device management which include install the certificate you received from certificate authority on the devices.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

Re: Deploy Certs with MDM for ISE device authenication

DAVID — Thu, 30 Jan 2025 01:34:33 GMT

Since MDM created the CSR and CA signed it, can cert be imported into ISE even though ISE did not create the original CSR?

Re: Deploy Certs with MDM for ISE device authenication

ahollifield — Thu, 30 Jan 2025 12:01:01 GMT

Yes, but is ISE already trusting the CA that signed the MDM or client cert? If so, you shouldn't need to import it. Are you talking about setting up the communication between ISE and the MDM for compliance checks? Or strictly client auth using EAP-TLS?

Re: Deploy Certs with MDM for ISE device authenication

DAVID — Thu, 30 Jan 2025 16:34:02 GMT

I have not imported the cert yet but MDM created the CSR which I have signed but DIGI. My intent is to import the cert into ISE and configure for EAP client authentication. The MDM would deploy the cert to the apple devices and configure the new WLAN on the device to eliminate any user intervention. Just wanting to confirm that I am not missing anything or going to the wrong path HTH

Re: Deploy Certs with MDM for ISE device authenication

ahollifield — Thu, 30 Jan 2025 16:49:47 GMT

Nope, this sounds perfect to me

Re: Deploy Certs with MDM for ISE device authenication

Dustin Anderson — Thu, 30 Jan 2025 17:14:57 GMT

The only thing will be the cert on ISE for EAP. If it is using the same public cert, you should be fine. If it is self signed, you would need to import it into the device's trust store otherwise the user will get prompted to trust the cert.