cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
15
Helpful
5
Replies

How to machine Authenticate in Wireless BYOD

pcno
Level 1
Level 1

Hi,

I have a BYOD policy configured in ISE 2.4 and everything works well (EAP-PEAP & TLS), We only use ISE for Wireless, not for Wired. I want the BYOD to push a computer certificate while onboarding and that certificate can be used for Machine authentication.

Is it possible to push a computer certificate in BYOD wireless onboarding if yes please share me the policy and necessary configuration?
I don't see an option for computer in wireless native supplicant provisioning.
Thanks
Priyesh

1 Accepted Solution

Accepted Solutions

Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.

View solution in original post

5 Replies 5

Greg Gibbs
Cisco Employee
Cisco Employee

The Native Supplicant Provisioning wizard can only enrol a User certificate via the BYOD flow.

BYO devices are expected to be single-user endpoints and the BYOD flow is not supported for Corporate endpoints. Of the common BYOD endpoint types (Windows, MacBook, iDevice, Android), Windows is the only type that leverages computer certificates and any updates to the Computer certificate store requires elevated privileges which the NSP would not have.

Arne Bier
VIP
VIP

In a Microsoft deployment you should use the Group Policy and Microsoft CA Services to do that.

It's Built into Windows Server - auto cert enrollment, auto certificate renewal, etc. All that stuff that has been done reliably for years. Certs managed by Windows Server CA, and it doesn't incur the ISE Plus licensing either.

So, According to all of you there is no way ISE can issue a machine certificate as an internal CA for a Wireless environment.
Can you guyz please confirm this .

Thanks for all the help. :)

As Greg indicated above, the flow you leverage for this only issues a user certificate, that certificate also includes the MAC address of the endpoint that it was provisioned for, but it's not a machine certificate.

Also, just to reiterate.. the ISE Internal CA is not an Enterprise CA and is therefore not supported as a CA for company-owned endpoints (e.g. AD joined computers). It is only supported for use in a BYOD scenario and can only enrol user certificates.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: