Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
6
Replies

Deploy Certs with MDM for ISE device authenication

DAVID
Level 3
Level 3

‎01-29-2025 01:28 PM

We use Ivanti neurons to manage our Apple devices.  We would like to configure these devices so that they can use 802.1  EAP auth to authenticate to the network through ISE 3.3 acting as the RADIUS server.  My question is this?  Is the certificate CSR generated by the MDM and signed by DIGI then I import this cert into the ISE Trusted Certificates and the MDM will deploy the certs to the Apple devices so that the user does not have to "Trust" the certificate when connecting.  Or, is the CSR generated by ISE to be signed by CA and imported into Trusted Certs and deployed to devices by MDM??

0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎01-29-2025 02:23 PM

@DAVID 

Create CSR on ISE, signed by Certificate authority, import the signed certificate in ISE.

   MDM is responsible for device management which include install the certificate you received from certificate authority  on the devices.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html

 

0 Helpful

DAVID
Level 3
Level 3
In response to Flavio Miranda

‎01-29-2025 05:34 PM

Since MDM created the CSR and CA signed it, can cert be imported into ISE even though ISE did not create the original CSR?

0 Helpful

ahollifield
VIP
VIP
In response to DAVID

‎01-30-2025 04:01 AM

Yes, but is ISE already trusting the CA that signed the MDM or client cert?  If so, you shouldn't need to import it.  Are you talking about setting up the communication between ISE and the MDM for compliance checks?  Or strictly client auth using EAP-TLS?

0 Helpful

DAVID
Level 3
Level 3
In response to ahollifield

‎01-30-2025 07:11 AM - edited ‎01-30-2025 08:34 AM

I have not imported the cert yet but MDM created the CSR which I have signed but DIGI.  My intent is to import the cert into ISE and configure for EAP client authentication.  The MDM would deploy the cert to the apple devices and configure the new WLAN on the device to eliminate any user intervention.  Just wanting to confirm that I am not missing anything or going to the wrong path  HTH

0 Helpful

ahollifield
VIP
VIP
In response to DAVID

‎01-30-2025 08:49 AM

Nope, this sounds perfect to me
0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎01-30-2025 09:14 AM

The only thing will be the cert on ISE for EAP. If it is using the same public cert, you should be fine. If it is self signed, you would need to import it into the device's trust store otherwise the user will get prompted to trust the cert.

0 Helpful
Customers Also Viewed These Support Documents