Solved: EAP-TLS for apple devices via MDM

piotrPaszk · ‎10-01-2018

Hello,

The organization at the moment uses MDM( lightspeed) for pupils and ACS in order to authenticate employees. They use 2 ssid implementation OPEN/WPA PSK. Now we want use MDM either lighspeed or another in order to profile them fra scratch, so they use EAP-TLS with ISE.

I just wonder in terms of authorization policy set in ISE what kind of criteria againts certificate should be used to differenciate pupils and for example apple TV. (For corportate users is easy as they are in AD already)

Should I use separate endpoint groups with corresponding mac addresses and then just allow devices with valid certificates in order to give them different access. What kind of info a certificate should include.

Jason Kunst · ‎10-02-2018

You can have them use the my devices portal and register their own mac addresses.

If wirelessmab and registereddevice then permitaccess (whatever permissions you like)

View solution in original post

paul · ‎10-02-2018

If you are registering pupils and Apple devices with the MDM you should have total control at the registration process on how certificates get generated and assigned to devices. When a pupil registers their device to the MDM the certificate request to the CA could contain OU=pupil. When an Apple device registers the certificate request could contain OU=Apple Device. Then in your authorization rules you could do subject contains matching to separate the two.

View solution in original post

paul · ‎10-10-2018

You could create a second CAP and do create a second authentication rule, but I stopped doing that years ago and have gone to keeping the authentication section intentionally generic. You don't have to check AD in your CAP. I have stopped doing that and simply set the CAP to pull identity from the Subject Alternative Name. This allows ISE to use any SAN field for identity. Right now you are forcing ISE to use the SAN DNS field and do an AD check in the CAP which makes it a singular use case CAP. If you change it to SAN field and remove AD check the CAP can work for almost every certificate use case.

So the theory with authentication phase in my setups are to simply answer the question "Are the credentials being provided correct?". For PEAP that means the AD username and password are valid. For certs, with the more generic CAP, it means is the cert issued from a CA ISE trusts to issue client certs and is the cert not expired or revoked. No AD checks in the authentication phase for certs. Then all the magic happens in the authorization phase. I can do all the AD checks I want in the authorization phase.

View solution in original post

Jason Kunst · ‎10-02-2018

You can have them use the my devices portal and register their own mac addresses.

If wirelessmab and registereddevice then permitaccess (whatever permissions you like)

paul · ‎10-02-2018

If you are registering pupils and Apple devices with the MDM you should have total control at the registration process on how certificates get generated and assigned to devices. When a pupil registers their device to the MDM the certificate request to the CA could contain OU=pupil. When an Apple device registers the certificate request could contain OU=Apple Device. Then in your authorization rules you could do subject contains matching to separate the two.

piotrPaszk · ‎10-10-2018

Hei Paul,

Thanks for the answer. I seems to be obvious with authorization rules but I just wonder how to create the authentication rules in this case ?

I have an 802.1x authentication rule which matches identity store ---- identity store maches ------certificate authentication profile against AD - this rule is for machines which are in AD. There is an option if user not found ---reject.

Since ipads are not in AD how should I create second authentication rule which maches identity store with certificate authentication profile which is not connected to any identiy store. Should I change the first rule from if user not found continue in order to allow it to go to the second one ? Please see the attached pictures

Best regards,

Piotr

paul · ‎10-10-2018

You could create a second CAP and do create a second authentication rule, but I stopped doing that years ago and have gone to keeping the authentication section intentionally generic. You don't have to check AD in your CAP. I have stopped doing that and simply set the CAP to pull identity from the Subject Alternative Name. This allows ISE to use any SAN field for identity. Right now you are forcing ISE to use the SAN DNS field and do an AD check in the CAP which makes it a singular use case CAP. If you change it to SAN field and remove AD check the CAP can work for almost every certificate use case.

So the theory with authentication phase in my setups are to simply answer the question "Are the credentials being provided correct?". For PEAP that means the AD username and password are valid. For certs, with the more generic CAP, it means is the cert issued from a CA ISE trusts to issue client certs and is the cert not expired or revoked. No AD checks in the authentication phase for certs. Then all the magic happens in the authorization phase. I can do all the AD checks I want in the authorization phase.

piotrPaszk · ‎10-11-2018

That realy make sens Paul, thanks :) Can you priovide some screenshots from your policysets both authorization and authentication? Br Piotr

piotrPaszk · ‎10-10-2018

Thanks Jason for the answer. Thats a good option for sure but I have to do it via external MDM without any BYOD or direct MDM integration. BR Piotr