cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1034
Views
0
Helpful
3
Replies

BYOD certificate provisioning in non-domain machines

raksec
Cisco Employee
Cisco Employee

Hello Experts,

 

Seeking suggestions on the following scenario:

 

Customer is having a few non-domain machines which includes laptops, mobiles. These machines are running Linux, Mac, Android, iOS. Most of the machine users don't have admin rights. They have internal CA. ISE will be integrated with internal CA. So we are working on a specific requirement and to achieve that we have to provision certificates to non-domain machines. We are planning to test this using BYOD. I don't want to complicate the scenario. However, the ultimate goal is provisioning the certificates to non-domain machines so that machines can trust Web Security Appliance which will be acting as a web proxy.

 

So during BYOD flow, considering the machines are non-domain and user's don't have admin rights, certificates installation in the machines will be automatic or requires user's intervention? If user's intervention is required, would non-admin users be able to do that?

 

Even if somehow ISE is able to push the certificates, how a browser running in the endpoint will trust a proxy (WSA) using the same certificate? 

 

Thanks,

Rakesh Kumar

 

 

1 Accepted Solution

Accepted Solutions

CarlCarlson1234
Level 1
Level 1

This doesn't seem like a great way to go about getting certificates on devices for trusting a web proxy. I wouldn't suggest doing this.

Having said that, if I understand correctly it seems like you're planning to provision a certificate, that wont be used, on the device with the goal of also installing the cert of the internal (company owned) Root CA that also signed the certificate used by the web proxy. This way you'll have a trust chain for the web proxy built on the devices.

 

Linux - ISE doesn't support client provisioning for Linux.

iOS - ISE supports provisioning. ISE does have a native supplicant. You'll need to put in device pin if enabled.

Android - ISE requires an application from the app store to install certificates on Android.  It is terrible. You need to put in device pin if enabled. In my experience when a new version of Android comes out it takes Cisco at least 2 months before the new OS is supported.

Mac -  ISE supports provisioning. Requires admin access.

Windows - ISE supports provisioning. Requires admin access.

 

With all of the systems, you'll have to be aware of the OS release cycles for each one.  You'll potentially need to update the supplicants/wizards one ISE as you add new patches. The suggested supplicants/wizards are usually in the patch notes. You'll have to update the Posturing dictionaries when new OS's release so ISE can recognize them.  New OS versions ie, Android 9 to 10, iOS 12.x to 13.x.  are usually not immediately supported and can cause lots of frustration with users.

 

 

View solution in original post

3 Replies 3

CarlCarlson1234
Level 1
Level 1

This doesn't seem like a great way to go about getting certificates on devices for trusting a web proxy. I wouldn't suggest doing this.

Having said that, if I understand correctly it seems like you're planning to provision a certificate, that wont be used, on the device with the goal of also installing the cert of the internal (company owned) Root CA that also signed the certificate used by the web proxy. This way you'll have a trust chain for the web proxy built on the devices.

 

Linux - ISE doesn't support client provisioning for Linux.

iOS - ISE supports provisioning. ISE does have a native supplicant. You'll need to put in device pin if enabled.

Android - ISE requires an application from the app store to install certificates on Android.  It is terrible. You need to put in device pin if enabled. In my experience when a new version of Android comes out it takes Cisco at least 2 months before the new OS is supported.

Mac -  ISE supports provisioning. Requires admin access.

Windows - ISE supports provisioning. Requires admin access.

 

With all of the systems, you'll have to be aware of the OS release cycles for each one.  You'll potentially need to update the supplicants/wizards one ISE as you add new patches. The suggested supplicants/wizards are usually in the patch notes. You'll have to update the Posturing dictionaries when new OS's release so ISE can recognize them.  New OS versions ie, Android 9 to 10, iOS 12.x to 13.x.  are usually not immediately supported and can cause lots of frustration with users.

 

 

Thanks Carl. Appreciate your inputs.

So even if we accept the challenges and the risk, ISE will push the certificates in the system's certificate store. However, to trust the web proxy, client will be a web browser running in the endpoint which should be having root CA cert installed in the browser. Are we really achieving the goal using this solution?

I believe so. Everything on a system (web browsers included) should refer back to the same Trusted CA store, or Trusted Credential store. Once you have to root CA that signs the web proxy cert installed on the device the device should trust the connection.