Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3387
Views
6
Helpful
4
Replies

How to provision a certificate from ISE external CA to Apple MAC device using SCEP

Go to solution
csco11552159
Level 5
Level 5

‎07-07-2017 08:04 AM

Hi,

I try to setup ISE as RA and using our existing Microsoft SCEP server for Apple Mac device.  I got RA  cert and SCEP configured on ISE follow this guide: ISE - Adding Certificates to ISE and Creating Certificate Profiles .

I also configured the Certificate template and pointing to our external SCEP server.  But when I try to use Certificate provisioning portal, it doesn't allow me to select this template. only allow me to select internal SCEP template.  Is this current ISE limitation (ISE 2.1 Patch3)?  How can I use this template for our device cert provisioning?

Capturecert.JPG

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-08-2017 08:04 PM

On macOS, after we download the network setup assistant app and run it, it will contact ISE for the profile, which will use the template and trigger the certificate enrollment. The following how-to guides are based on ISE 1.1.1 but they have relevant info on how this is done:

How To: ISE & BYOD: Using Certificates For Differentiated Acces

How To: ISE & BYOD: Onboarding, Registering & Provisioning

Also check out the other resources @ BYOD

View solution in original post

0 Helpful
4 Replies 4

Go to solution
csco11552159
Level 5
Level 5

‎07-07-2017 08:07 AM

here is the portal: Couldn't see the template pointing to external SCEP

Capturecert2.JPG

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-07-2017 10:53 AM

ISE can issue certificates via SCEP during the BYOD flow, not for manual certificate provisioning via certificate portal. ISE Cert portal is for issuing certificates from ISE internal CA. If you want to get certificates from MS CA, you should connect to MS CA portal, which is typically http(s)://CERTSERVER_IP/certsrv/

Go to solution
csco11552159
Level 5
Level 5
In response to howon

‎07-07-2017 11:39 AM

if we use external SCEP follow the BYOD flow, when will the certificate request send  to SCEP server? Is the NSP template with Certificate template triggering the Certificate enrollment?  Or somewhere else control it ?

i got confused here ...

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎07-08-2017 08:04 PM

On macOS, after we download the network setup assistant app and run it, it will contact ISE for the profile, which will use the template and trigger the certificate enrollment. The following how-to guides are based on ISE 1.1.1 but they have relevant info on how this is done:

How To: ISE & BYOD: Using Certificates For Differentiated Acces

How To: ISE & BYOD: Onboarding, Registering & Provisioning

Also check out the other resources @ BYOD

0 Helpful
Customers Also Viewed These Support Documents