Solved: Re: Using ISE CA as SCEP Client to an MDM

nspasov · ‎01-11-2018

I have a customer that has the following BYOD requirements:

They want all BYOD on-boarding and provisioning to be performed by the MDM
They do not have an in-house CA and as a result, they want to use ISE's CA
They want the MDM to instruct the BYODs to utilize SCEP and reach out to ISE for certificate provisioning

Is this possible? According to ISE's documentation, SCEP can be used for device on-boarding when coming from VPN but what about from when going through an MDM?

Thank you!

Neno

Jason Kunst · ‎01-12-2018

I don’t think that’s a good solution

The customer stated they wanted to use mdm for everything, I agree if you have an mdm you should use its on CA to issue the certificates to the endpoints. MDM is meant to do all this

Even though ISE can do byod that doesn’t mean you need to and having ISE request a cert from mdm via byod is not a good idea, you’re just complicating things unnecessarily

I don’t see the use case and why you need to do this

View solution in original post

Jason Kunst · ‎12-12-2018

If the MDM doesn’t have a CA then how would you expect the service to work with an MDM APP onboarding and configuring the supplicant?

They would need to do BYOD and then MDM flow for a supported design as called out in BYOD guide
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

we don’t validate all the different vendors please check for associated vendor site for their documentation.

View solution in original post

hslai · ‎01-12-2018

I think it possible but our teams are not testing such use cases. I would suggest you going ahead and trying it. Else, you may use the regular ISE BYOD flow.

Jason Kunst · ‎01-12-2018

Why isn’t the customer using MDM to push the cert to the clients?

nspasov · ‎01-12-2018

Hi Jason-

Is it possible for the MDM to utilize SCEP and request the certificate from the ISE CA on behalf of the endpoint?

Jason Kunst · ‎01-12-2018

I don’t think that’s a good solution

The customer stated they wanted to use mdm for everything, I agree if you have an mdm you should use its on CA to issue the certificates to the endpoints. MDM is meant to do all this

Even though ISE can do byod that doesn’t mean you need to and having ISE request a cert from mdm via byod is not a good idea, you’re just complicating things unnecessarily

I don’t see the use case and why you need to do this

nspasov · ‎01-17-2018

Thank you for the helpful feedback Jason!

Neno

nspasov · ‎01-12-2018

We are in early pre-sales stage so there is no way to test it. I also don't have access to an MDM, otherwise I would definitely test it Perhaps, I can suggest a POV and go from there.

I did mention the BYOD flow that exist in ISE but they are pretty firm on using the MDM for everything.

Greg Gibbs · ‎12-11-2018

Hi Jason / Hsing,

I have a similar customer engagement in which they want to leverage their existing MDMs (JAMF for Mac, Airwatch for non-Mac) to provision the endpoints for EAP-TLS.

The MDM will own the provisioning flow, but they want to proxy the cert enrollment to the ISE CA so that ISE owns/manages the certificate.

Have we done any testing of this type of SCEP flow with external MDMs? Do we have systems in the BU labs to validate if this will work?

@Jason Kunst, @hslai

Surendra · ‎12-11-2018

Though ISE has an internal CA, it doesn’t support SCEP from the outside network. When a PSN gets a CSR from say a Network Setup Assistant, it is proxied internally to the internal CA server and gets the certificate signed. AFAIK, there is no other to send SCEP calls to the internal CA.

Having said that, check if any of those vendors support redirecting the users to the certificate provisioning portal of the ISE for the users to generate a certificate for themselves.

Jason Kunst · ‎12-11-2018

As hsing stated before it’s not a tested solution. This testing hasn’t been done. I agree it might make some sense but is it worth the effort and complexity? What’s the issues of having MDM manage it? I would suggest working with the PMs to see if it might be a possibility in the future with justification

Greg Gibbs · ‎12-12-2018

Thanks Jason. I think the issue with having the MDM manage it is that the MDM does not have a built-in CA, and the customer does not have an established SCEP service on their enterprise PKI.

I've looked at a few options at using the Certificate Provisioning Portal in ISE to allow the user to manually provision their cert, but that doesn't configure the supplicant to allow them to connect to the dot1x SSID.

The only way I can think of to get this working would be to force the user through the standard ISE BYOD flow and use the NSP to enroll the certificate and configure the supplicant, then redirect the user to the MDM after to do that side of the provisioning.

I know this is documented and validated for AirWatch, but do we know if this has been tested with Casper/JAMF?

Jason Kunst · ‎12-12-2018

If the MDM doesn’t have a CA then how would you expect the service to work with an MDM APP onboarding and configuring the supplicant?

They would need to do BYOD and then MDM flow for a supported design as called out in BYOD guide
https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

we don’t validate all the different vendors please check for associated vendor site for their documentation.

Greg Gibbs · ‎12-13-2018

Thanks Jason. After looking at some options with using self-signed certs from AirWatch, we found that the customer does actually have ADCS infrastructure that already integrates with AirWatch via DCOM (rather than SCEP). I've convinced the customer that, since the Apple devices are locked down by DEP initially, letting AirWatch provision the endpoints would be a much better and simpler method than trying to force the endpoint through the ISE Provisioning flow.

Jason Kunst · ‎12-13-2018

Yes you’re correct ☺

howon · ‎12-14-2018

It can work. ASA/AnyConnect SCEP flow is an example where ASA is doing SCEP proxy on behalf of the AnyConnect client. For ISE to permit SCEP/SCEP proxy ISE needs to have a endpoint session or the IP needs to be in the network device group. You can try adding whatever source IP (RADIUS key can be anything as it will not be utilized) that SCEP from MDM will be coming from as NAD on ISE and try the flow. Obviously will be harder to test if this is cloud based MDM, but should be doable if on prem or private cloud. Just to be clear, this is the case where just because it works, doesn't mean it is supported.