09-02-2020 01:39 PM
Hi,
We have a working solution for wireless 802.1x users where the users authenticate via cert, now the new requirement is for mobile users that would be managed by MDM, the MDM is not integrated with the ISE, the MDM will push the user cert on the phones and they will authenticate via ISE. My questions are:
1. For Laptops i understand they are part of Domain/Computers, but mobile phones are not so how do we configure the policy in this case.
2. What is the best way to design in my case where the MDM pushes the user cert, MDM is not part of domain but it certainly does fetch the cert and install on the user Phones.
Thanks.
Atif
09-02-2020 03:01 PM
That's quite straightforward. You need to inspect the certificate that the MDM has pushed to the client, and then ensure that ISE contains the Root CA, and any intermediate CA certs that were used by the MDM in creating that cert. Put those CA certs into ISE's Trusted Certificates section. That will ensure that ISE will trust the certs that are coming from clients during EAP-TLS.
For the Policy part of the configuration, you need to consider Authentication and Authorization
Authentication: Is there an identity element in the cert that you can (or want to) use to lookup the user in AD (for example)? Let's say the client cert contains a Subject Common Name that resembles a valid AD user's UPN. If you want to perform Authentication, then you can create a cert profile in ISE that will do just that. But it's optional. You do not need to perform Authentication against an external identity source. A client that presents a cryptographically valid cert is sufficient enough for AuthN.
Authorization: This is where you look deeper into the cert and look for a distinguisher (e.g. Certificate Issuer) to decide what to do with this client. If Issuer Contains "Meraki MDM" (or whatever) then put this user in the BYOD VLAN and apply ACL etc. There are no hard and fast rules - look at the client cert and then create an AuthZ policy that will 100% match that cert as a BYOD user.
Hope that helps.
Now the Policy part is
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide