Solved: Re: ISE Certificate Distribution & Portal

Mike.Cifelli · ‎04-12-2019

Can someone please shed some light on useful documentation that will highlight the pros/cons of utilizing ISE and client provisioning to allow an end node to enroll for a pki cert. Based on brief research it looks like the capabilities are limited. For example, it seems that the internal ISE templates only allow you to use the mac as the san. It also seems that you can only provision the windows native supplicant.

Currently I have an internal miscoroft pki setup that deploys certificates to clients via auto-enrollment with proper security group permissions on a given template on the sub ca. We have several networks/use cases where some hosts use NAM for eap-chaining and others simply use the native supplicant.

I am trying to potentially automate the imaging process and the deployment of certificates using ISE. I would like ISE to act as another sub ca to my root that can issue certificates to lab admins going through the imaging process. All while still having the ability to use the current setup of auto-enrollment. The thought would be that ISE could potentially eliminate the manual intervention of the need to move a computer object in AD to the proper sec group to allow permissions to enroll.

Is the juice worth the squeeze? Can ISE use/share templates from another microsoft sub ca via scep? My experiences for certificate provisioning are stronger when using an external pki source. Thanks in advance!

paul · ‎04-13-2019

I would definitely advocate doing autoenrollment at the domain computer level to avoid a manual step, but if you analyze the rebuild sequence you probably 3-4 steps in before the device is joined to AD, runs GPOs, autoenrolls and even has a chance to do 802.1.x. You have to figure out a way to get through those first few steps of the build process. As I said you can profile your way through the PXE boot and initial WINPE image step by looking at DHCP attributes. Once the WinPE image is pulled down you have the option to incorporate a program like the one I wrote to automatically add the MAC address to a whitelist in ISE and reboot.

The other way I handle this is by using a Temp bypass portal in ISE (a subversion of the MyDevices portal). We use this portal for help desk, desktop team, etc. to add MAC addresses into a whitelist to allow them on the network. That whitelist is purged every night. As part of their rebuild process they would add the MAC address into the temp bypass portal.

I

View solution in original post

Sathiyanarayanan Ravindran · ‎04-12-2019

Hope this helps you Cisco ISE CA Service

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

paul · ‎04-12-2019

Are you just trying to solve a reimaging issue? Domain computers when added to the domain aren't set to autoenroll for a computer certificate?

For reimage processes I usually exempt the PC build rooms from ISE authentication assuming they have dedicated switches. For in place reimaging outside the build room I have written an executable that is incorporated into the build process that will automatically add the MAC address of the NIC card into a whitelist on ISE using the REST API. You can profile your way through the initial PXE boot downloading of the WinPE image.

Mike.Cifelli · ‎04-13-2019

@paul Yeah just trying to find ways to automate some things. The campus layout is a little different. There are not dedicated switches for re-imaging. All NAD interfaces are configured with closed auth and are a part of an SDA fabric. Per requirements we have to have other admins open tickets when wanting to re-image. Maybe the easiest win is just to allow Domain Comps to auto-enroll. I kind of liked doing it the other way so we could track progress/migration, but the tradeoff is the extra one step of manual intervention. Thanks for the reply.

paul · ‎04-13-2019

I would definitely advocate doing autoenrollment at the domain computer level to avoid a manual step, but if you analyze the rebuild sequence you probably 3-4 steps in before the device is joined to AD, runs GPOs, autoenrolls and even has a chance to do 802.1.x. You have to figure out a way to get through those first few steps of the build process. As I said you can profile your way through the PXE boot and initial WINPE image step by looking at DHCP attributes. Once the WinPE image is pulled down you have the option to incorporate a program like the one I wrote to automatically add the MAC address to a whitelist in ISE and reboot.

The other way I handle this is by using a Temp bypass portal in ISE (a subversion of the MyDevices portal). We use this portal for help desk, desktop team, etc. to add MAC addresses into a whitelist to allow them on the network. That whitelist is purged every night. As part of their rebuild process they would add the MAC address into the temp bypass portal.

I