Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1281
Views
5
Helpful
7
Replies

ISE BYOD/MDM integration

Go to solution
iagyte
Cisco Employee
Cisco Employee

‎07-31-2018 08:44 AM - edited ‎03-11-2019 01:47 AM

A partner is having issues with iPhone and BYOD (not an issue with ISE), the Client Provisioning no longer provides a good user experience and as a result now are looking for an alternative to provide EAP-TLS based authentication for employee personal devices.

 

Partner thoughts are to use an MDM (the customer is using  XenMobile) to push a certificate to the device, whether it by iPhone or Android. The partner would prefer to use ISE to issue the certificate.

 

The question is, can ISE be used as a SCEP server to issue certificates to the BYOD devices with the request originating from the MDM server?

 

I’m assuming when the user registers to the MDM, ISE can be used to authenticate the request and once the certificate is issued, ISE can authenticate against the certificate?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎08-01-2018 07:40 PM

If you’re mdm is a certificate authority then all provisioning and on-boarding should go through the mdm app. This is the best user experience and least complex path. That’s what the mdm is designed for. It will be all contained

Although you might be able to somehow point ISE to the mdm CA and provision that way. It’s not recommended and tested. This way you’re increasing complexity and making the on-boarding process more difficult

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎08-01-2018 08:08 PM

Ok now i get you. Yes the mdm on boarding is the best user experience. However the question was to know if ise can be scep server.
You can onboard the device through mdm but the certificate authority can be ise or anything else, it won't change the user experience. It's just something happening behind the scene.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-31-2018 08:04 PM - edited ‎07-31-2018 08:05 PM

Hi Iagyte

Yes ISE can act as scep server if it has configured as CA authority.
When you activate the internal CA, on the latest column, you'll get the scep url.
I've never tested it this way sourcing the request by MDM, but you can test it and let us know.
I've implemented it using ASA/anyconnect as source request and it works well.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎08-01-2018 04:10 AM

Why? If the MDM can do the work this is the requested approach

Otherwise the experience will be the same and with more pieces to break

The on boarding process is basically the same. It’s just that if you don’t have well known certificate on your ISE nodes you will have a bad experience
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎08-01-2018 02:55 PM

I'm not sure I get you. Maybe I misspelled something.
Your onboarding process will be done on your MDM but the certificate authority will be ISE and ISE can act as scep server. This was your question, isn't it?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎08-01-2018 07:40 PM

If you’re mdm is a certificate authority then all provisioning and on-boarding should go through the mdm app. This is the best user experience and least complex path. That’s what the mdm is designed for. It will be all contained

Although you might be able to somehow point ISE to the mdm CA and provision that way. It’s not recommended and tested. This way you’re increasing complexity and making the on-boarding process more difficult

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎08-01-2018 08:08 PM

Ok now i get you. Yes the mdm on boarding is the best user experience. However the question was to know if ise can be scep server.
You can onboard the device through mdm but the certificate authority can be ise or anything else, it won't change the user experience. It's just something happening behind the scene.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎08-02-2018 04:30 AM

That’s incorrect. If ISE is the SCEP server then the client needs to use ISE BYOD onboarding as the app has no way Ron control this and ISE only talks to endpoint using the NSP wizard or Apple iOS OTA flow. Don’t do this it’s not supported. It doesn’t make sense or is practical to point ISE at the MDM CA
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎08-03-2018 08:31 PM

I didn't say it will work.
I said ise can act as scep server to get certificates from it like you can do for anyconnect users. For some users it doesn't work.
I said he can try and if that works then fine but i agree that this isn't the best way to do it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents