I am using:
Installed Patches 2
Product Identifier (PID) ISE-VM-K9
Version Identifier (VID) V01
ADE-OS Version 3.0.8.091
In my LAB, I have a single ISE that is doing everything (PAN, PSN, MnT) and is the root and hopefully the EP CA and RA all in one. I will be designing a distributed ISE system later.
I am not running a BYOD network but a network of trusted endpoints - I'm trying to on-board/register these endpoints into ISE Internal-CA for EAP-TLS authentication. I am looking for a dynamic method to distribute the certificates.
I have a question about using ISE’s internal CA to perform on-boarding of my endpoint devices – which potentially will be a hybrid of any BYOD processes/guides that I have seen. Likewise, I am not running an MDM but I do have an endpoint manager, Wyse Management Server. I haven’t integrated that portion yet into the overall solution. At this point, I'd like the endpoint to simply request a certificate from ISE. I have network connectivity.
I’m trying to just use the native Dell Wyse EndPoint firmware to “Request Certificate”, pointing to a Request URL (http://fqdn:9090/auth/caservice/pkiclient.exe). I also need a CA Hash Value (believe this to be my CA fingerprint) as well as an enrolment password – from what I believe is from the registration authority. The attachment is this screen I am trying to use.
What I have done:
Enable the ISE Internal CA – done!
Edit the EAP Authentication Template for my use – done!
I have a certificate defined for only EAP-Authentication - done!
I haven’t processed any BYOD design as I was thinking that once enabled the Internal ISE-CA and am running all personas on the same device, I can use my internal-CA to do some type of hybrid SCEP flow to enroll the endpoint into the CA and then use the certificate for EAP-TLS.
Are there any documents available to suggest that this is even possible without going through the process of building a BYOD portal?
Can ISE and its ISE-Internal CA and the PSN role handle the role of the registration authority itself and accept the request certificate request, sign it and return it to the Dell Wyse Endpoint?
UPDATE - THIS STATEMENT FROM https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867 INTRIGUES ME:
"there are different ways to onboard endpoints to the network. One way is to simply let users connect their personal devices to the existing guest or internal network, where endpoint simply gets Internet only access or in the case of internal network, the endpoint will gain same level access as managed devices. The other end of the spectrum is where endpoint is onboarded via ISE BYOD flow. When ISE BYOD onboards the endpoint, ISE can issue Certificate Authority (CA) signed certificate as well as automatically configure endpoint network settings to use the endpoint certificate that has been signed to gain network access."
So the only way to onboard is using the BYOD flow with a portal? I'm trying to do this systematically where there was preliminary checks of the endpoint through MAB (Profiled) and then the Wyse Management Server sends configuration info to the endpoint to register to ISE CA. Possible?
Also Dell supports this capability either manually or allows for automation through their INI file where parameters can be given to the endpoint. It would sure be nice to get this working manually to ensure that it can be done automatically...
And I found this deck from Berlin Live 2016 page 60 of https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKSEC-3697.pdf that suggests that all this is possible - can it be this simple? Where is the process for this? How do I get ISE PSN working like this? Are there guides please?
The ISE CA is fully compatible with SCEP - but you will have to add the SCEP proxy - I assume the Wyse manager is doing the SCEP for the terminals - to the Network Devices list. That opens the ACL on ISE to allow the SCEP requests.
Thanks Aaron - for responding…
I’m using the Wyse Management Suite (WMS) to configure the ThinOS endpoints.
This is typically done through dhcp scope options 165, 166, 167, and 199 that I point the ThinOS to the WMS to pull down the ini file including the SCEP config. I was hoping that the ThinOS would register with ISE and onboard. I’m wondering if this is the typical MDM onboarding details that I keep finding during my research.
So you are advising that the WMS must be defined as a network device (within ISE) to allow the SCEP requests. So I am then assuming that the WMS must proxy the SCEP requests as a MDM?
I’m concerned that there are values that I need to define as part of my configuration - I have no idea where to enable or find within ISE. URL I believe is http://fqdn:9090/auth/caservice/pkiclient.exe but where do I find these other values?
|SCEP Administrator URL
|Enter the SCEP administrator URL.
|Enter the SCEP administrator user name.
|SCEP User password
|Enter the SCEP administrator user password.
So when you say add the proxy, this is the ISE or yet another box I need to place between ISE and WMS?
I feel that I am trail blazing here - hoping that someone has done this without defining all the onboarding steps of a byod portal I keep finding. Was my ident the intent of you slide #60 of your deck?
The slide from that deck is mainly intended to describe the flow for the BYOD enrollment process. AFAIK (and what I've been told by the BU in the past), is that ISE is not supported as a SCEP server outside of the well-defined and validated BYOD flow. It can act as a SCEP proxy to an external Enterprise CA (like MS ADCS), but not as a full-blown SCEP server for non-BYOD use cases (and definitely not a replacement for an Enterprise CA). The additional SCEP values you referred to are not necessary for the BYOD flow, therefore they are not configurable in ISE.
The ISE Internal CA is purpose-built for the BYOD use case as well as some additional specific use cases within ISE like the Messaging Service and pxGrid. Any use outside of those use cases is not validated and, even if you were able to hack something together to get it working, would likely not be supported by TAC if something does not work as expected.
There are also some instances that are known not to work with the ISE SCEP service, like the following post related to certificate enrollment with an IOS switch, due to some mismatch in the usage field. This same limitation could also have an impact on what you are trying to accomplish with the WYSE terminals. There was an enhancement 'bug' filed for this limitation, but it was terminated as this is outside the intended purpose of the ISE Internal CA.