07-31-2018 08:44 AM - edited 03-11-2019 01:47 AM
A partner is having issues with iPhone and BYOD (not an issue with ISE), the Client Provisioning no longer provides a good user experience and as a result now are looking for an alternative to provide EAP-TLS based authentication for employee personal devices.
Partner thoughts are to use an MDM (the customer is using XenMobile) to push a certificate to the device, whether it by iPhone or Android. The partner would prefer to use ISE to issue the certificate.
The question is, can ISE be used as a SCEP server to issue certificates to the BYOD devices with the request originating from the MDM server?
I’m assuming when the user registers to the MDM, ISE can be used to authenticate the request and once the certificate is issued, ISE can authenticate against the certificate?
Solved! Go to Solution.
08-01-2018 07:40 PM
08-01-2018 08:08 PM
07-31-2018 08:04 PM - edited 07-31-2018 08:05 PM
Hi Iagyte
Yes ISE can act as scep server if it has configured as CA authority.
When you activate the internal CA, on the latest column, you'll get the scep url.
I've never tested it this way sourcing the request by MDM, but you can test it and let us know.
I've implemented it using ASA/anyconnect as source request and it works well.
08-01-2018 04:10 AM
08-01-2018 02:55 PM
08-01-2018 07:40 PM
08-01-2018 08:08 PM
08-02-2018 04:30 AM
08-03-2018 08:31 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide