04-12-2019 12:55 PM
Can someone please shed some light on useful documentation that will highlight the pros/cons of utilizing ISE and client provisioning to allow an end node to enroll for a pki cert. Based on brief research it looks like the capabilities are limited. For example, it seems that the internal ISE templates only allow you to use the mac as the san. It also seems that you can only provision the windows native supplicant.
Currently I have an internal miscoroft pki setup that deploys certificates to clients via auto-enrollment with proper security group permissions on a given template on the sub ca. We have several networks/use cases where some hosts use NAM for eap-chaining and others simply use the native supplicant.
I am trying to potentially automate the imaging process and the deployment of certificates using ISE. I would like ISE to act as another sub ca to my root that can issue certificates to lab admins going through the imaging process. All while still having the ability to use the current setup of auto-enrollment. The thought would be that ISE could potentially eliminate the manual intervention of the need to move a computer object in AD to the proper sec group to allow permissions to enroll.
Is the juice worth the squeeze? Can ISE use/share templates from another microsoft sub ca via scep? My experiences for certificate provisioning are stronger when using an external pki source. Thanks in advance!
Solved! Go to Solution.
04-13-2019 08:09 AM
I would definitely advocate doing autoenrollment at the domain computer level to avoid a manual step, but if you analyze the rebuild sequence you probably 3-4 steps in before the device is joined to AD, runs GPOs, autoenrolls and even has a chance to do 802.1.x. You have to figure out a way to get through those first few steps of the build process. As I said you can profile your way through the PXE boot and initial WINPE image step by looking at DHCP attributes. Once the WinPE image is pulled down you have the option to incorporate a program like the one I wrote to automatically add the MAC address to a whitelist in ISE and reboot.
The other way I handle this is by using a Temp bypass portal in ISE (a subversion of the MyDevices portal). We use this portal for help desk, desktop team, etc. to add MAC addresses into a whitelist to allow them on the network. That whitelist is purged every night. As part of their rebuild process they would add the MAC address into the temp bypass portal.
I
04-12-2019 03:22 PM
Hope this helps you Cisco ISE CA Service
04-12-2019 03:42 PM
Are you just trying to solve a reimaging issue? Domain computers when added to the domain aren't set to autoenroll for a computer certificate?
For reimage processes I usually exempt the PC build rooms from ISE authentication assuming they have dedicated switches. For in place reimaging outside the build room I have written an executable that is incorporated into the build process that will automatically add the MAC address of the NIC card into a whitelist on ISE using the REST API. You can profile your way through the initial PXE boot downloading of the WinPE image.
04-13-2019 07:20 AM
04-13-2019 08:09 AM
I would definitely advocate doing autoenrollment at the domain computer level to avoid a manual step, but if you analyze the rebuild sequence you probably 3-4 steps in before the device is joined to AD, runs GPOs, autoenrolls and even has a chance to do 802.1.x. You have to figure out a way to get through those first few steps of the build process. As I said you can profile your way through the PXE boot and initial WINPE image step by looking at DHCP attributes. Once the WinPE image is pulled down you have the option to incorporate a program like the one I wrote to automatically add the MAC address to a whitelist in ISE and reboot.
The other way I handle this is by using a Temp bypass portal in ISE (a subversion of the MyDevices portal). We use this portal for help desk, desktop team, etc. to add MAC addresses into a whitelist to allow them on the network. That whitelist is purged every night. As part of their rebuild process they would add the MAC address into the temp bypass portal.
I
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide