02-19-2020 06:38 AM
Hi,
I have a BYOD policy configured in ISE 2.4 and everything works well (EAP-PEAP & TLS), We only use ISE for Wireless, not for Wired. I want the BYOD to push a computer certificate while onboarding and that certificate can be used for Machine authentication.
Is it possible to push a computer certificate in BYOD wireless onboarding if yes please share me the policy and necessary configuration?
I don't see an option for computer in wireless native supplicant provisioning.
Thanks
Priyesh
Solved! Go to Solution.
02-20-2020 02:14 PM
Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.
02-19-2020 12:58 PM
The Native Supplicant Provisioning wizard can only enrol a User certificate via the BYOD flow.
BYO devices are expected to be single-user endpoints and the BYOD flow is not supported for Corporate endpoints. Of the common BYOD endpoint types (Windows, MacBook, iDevice, Android), Windows is the only type that leverages computer certificates and any updates to the Computer certificate store requires elevated privileges which the NSP would not have.
02-19-2020 03:45 PM
In a Microsoft deployment you should use the Group Policy and Microsoft CA Services to do that.
It's Built into Windows Server - auto cert enrollment, auto certificate renewal, etc. All that stuff that has been done reliably for years. Certs managed by Windows Server CA, and it doesn't incur the ISE Plus licensing either.
02-20-2020 06:05 AM
So, According to all of you there is no way ISE can issue a machine certificate as an internal CA for a Wireless environment.
Can you guyz please confirm this .
Thanks for all the help. :)
02-20-2020 08:30 AM
02-20-2020 02:14 PM
Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: