cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

234
Views
15
Helpful
5
Replies
Beginner

How to machine Authenticate in Wireless BYOD

Hi,

I have a BYOD policy configured in ISE 2.4 and everything works well (EAP-PEAP & TLS), We only use ISE for Wireless, not for Wired. I want the BYOD to push a computer certificate while onboarding and that certificate can be used for Machine authentication.

Is it possible to push a computer certificate in BYOD wireless onboarding if yes please share me the policy and necessary configuration?
I don't see an option for computer in wireless native supplicant provisioning.
Thanks
Priyesh

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: How to machine Authenticate in Wireless BYOD

Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Re: How to machine Authenticate in Wireless BYOD

The Native Supplicant Provisioning wizard can only enrol a User certificate via the BYOD flow.

BYO devices are expected to be single-user endpoints and the BYOD flow is not supported for Corporate endpoints. Of the common BYOD endpoint types (Windows, MacBook, iDevice, Android), Windows is the only type that leverages computer certificates and any updates to the Computer certificate store requires elevated privileges which the NSP would not have.

Highlighted
VIP Advocate

Re: How to machine Authenticate in Wireless BYOD

In a Microsoft deployment you should use the Group Policy and Microsoft CA Services to do that.

It's Built into Windows Server - auto cert enrollment, auto certificate renewal, etc. All that stuff that has been done reliably for years. Certs managed by Windows Server CA, and it doesn't incur the ISE Plus licensing either.

Highlighted
Beginner

Re: How to machine Authenticate in Wireless BYOD

So, According to all of you there is no way ISE can issue a machine certificate as an internal CA for a Wireless environment.
Can you guyz please confirm this .

Thanks for all the help. :)

Highlighted
VIP Advocate

Re: How to machine Authenticate in Wireless BYOD

As Greg indicated above, the flow you leverage for this only issues a user certificate, that certificate also includes the MAC address of the endpoint that it was provisioned for, but it's not a machine certificate.
Highlighted
Cisco Employee

Re: How to machine Authenticate in Wireless BYOD

Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.

View solution in original post