01-11-2018 06:43 PM
I have a customer that has the following BYOD requirements:
Is this possible? According to ISE's documentation, SCEP can be used for device on-boarding when coming from VPN but what about from when going through an MDM?
Thank you!
Neno
Solved! Go to Solution.
01-12-2018 07:38 PM
I don’t think that’s a good solution
The customer stated they wanted to use mdm for everything, I agree if you have an mdm you should use its on CA to issue the certificates to the endpoints. MDM is meant to do all this
Even though ISE can do byod that doesn’t mean you need to and having ISE request a cert from mdm via byod is not a good idea, you’re just complicating things unnecessarily
I don’t see the use case and why you need to do this
12-12-2018 02:57 PM
01-12-2018 07:26 AM
I think it possible but our teams are not testing such use cases. I would suggest you going ahead and trying it. Else, you may use the regular ISE BYOD flow.
01-12-2018 07:32 AM
Why isn’t the customer using MDM to push the cert to the clients?
01-12-2018 06:32 PM
Hi Jason-
Is it possible for the MDM to utilize SCEP and request the certificate from the ISE CA on behalf of the endpoint?
01-12-2018 07:38 PM
I don’t think that’s a good solution
The customer stated they wanted to use mdm for everything, I agree if you have an mdm you should use its on CA to issue the certificates to the endpoints. MDM is meant to do all this
Even though ISE can do byod that doesn’t mean you need to and having ISE request a cert from mdm via byod is not a good idea, you’re just complicating things unnecessarily
I don’t see the use case and why you need to do this
01-17-2018 11:16 PM
Thank you for the helpful feedback Jason!
Neno
01-12-2018 06:31 PM
We are in early pre-sales stage so there is no way to test it. I also don't have access to an MDM, otherwise I would definitely test it Perhaps, I can suggest a POV and go from there.
I did mention the BYOD flow that exist in ISE but they are pretty firm on using the MDM for everything.
12-11-2018 01:55 PM - edited 12-11-2018 02:16 PM
Hi Jason / Hsing,
I have a similar customer engagement in which they want to leverage their existing MDMs (JAMF for Mac, Airwatch for non-Mac) to provision the endpoints for EAP-TLS.
The MDM will own the provisioning flow, but they want to proxy the cert enrollment to the ISE CA so that ISE owns/manages the certificate.
Have we done any testing of this type of SCEP flow with external MDMs? Do we have systems in the BU labs to validate if this will work?
12-11-2018 06:46 PM
12-11-2018 07:00 PM
12-12-2018 02:52 PM
Thanks Jason. I think the issue with having the MDM manage it is that the MDM does not have a built-in CA, and the customer does not have an established SCEP service on their enterprise PKI.
I've looked at a few options at using the Certificate Provisioning Portal in ISE to allow the user to manually provision their cert, but that doesn't configure the supplicant to allow them to connect to the dot1x SSID.
The only way I can think of to get this working would be to force the user through the standard ISE BYOD flow and use the NSP to enroll the certificate and configure the supplicant, then redirect the user to the MDM after to do that side of the provisioning.
I know this is documented and validated for AirWatch, but do we know if this has been tested with Casper/JAMF?
12-12-2018 02:57 PM
12-13-2018 01:56 PM
Thanks Jason. After looking at some options with using self-signed certs from AirWatch, we found that the customer does actually have ADCS infrastructure that already integrates with AirWatch via DCOM (rather than SCEP). I've convinced the customer that, since the Apple devices are locked down by DEP initially, letting AirWatch provision the endpoints would be a much better and simpler method than trying to force the endpoint through the ISE Provisioning flow.
12-13-2018 02:03 PM
12-14-2018 02:22 PM - edited 12-14-2018 02:22 PM
It can work. ASA/AnyConnect SCEP flow is an example where ASA is doing SCEP proxy on behalf of the AnyConnect client. For ISE to permit SCEP/SCEP proxy ISE needs to have a endpoint session or the IP needs to be in the network device group. You can try adding whatever source IP (RADIUS key can be anything as it will not be utilized) that SCEP from MDM will be coming from as NAD on ISE and try the flow. Obviously will be harder to test if this is cloud based MDM, but should be doable if on prem or private cloud. Just to be clear, this is the case where just because it works, doesn't mean it is supported.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide