×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE - Best way to distribute certificates to Mac

Answered Question
Oct 22nd, 2014
User Badges:

I have a customer that has users with company-issued MacBook Pros.  They want to implement ISE for Wireless 802.1X access control, using EAP-TLS.  The challenge is certificate distribution to the Mac client device.  The customer's preference is to have it as automated as possible - much like with an AD GPO for the Windows machines.

I've thought of three options:

  • Point them to a Self-registration portal and have the device go through an NSP/BYOD process to get the cert on there (seems unnecessarily complex)
  • Anyconnect loaded on the Mac to get the cert (is this possible??)
  • Manually install the root certificate and then request/install the user certificate (what they want to avoid)

Which (if any) of those options is most reasonable, or is there a better way?

thanks in advance,

Andrew

 

Correct Answer by nspasov about 2 years 9 months ago

Hi Andrew-

I have done many deployments in the past where customer had MAC and wanted to on-board them with certificates. I have used both ISE and an MDM to perform this function. Currently ISE uses a Java based provisioning which became messy when Apple removed the native Java application. With ISE 1.3 it will be moved to a .dmg based deployment which will make things much easier. However, the whole on-boarding process (outside of java) is pretty slick and user friendly. You can do it via single or dual SSIDs and tie the on-boarding to the users' AD credentials. You will need a SCEP/NDES server.

The MDM (IMO) makes the deployment even easier and some of the providers out there can now integrate directly with the CA server without the need of SCEP/NDES server.

Other than that, you can look into "Apple's Configurator" but I have not used it in the past so I am not sure what are its capabilities. I don't believe that the AnyConnect client has any options to auto enroll a certificate. 

You can have a manual process where the users must go and request the cert, download it, install it along with the trusted root but as you said that is not ideal and should be avoided. 

Hope this helps!

 

Thank you for rating helpful posts!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
nspasov Thu, 10/23/2014 - 18:52
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Hi Andrew-

I have done many deployments in the past where customer had MAC and wanted to on-board them with certificates. I have used both ISE and an MDM to perform this function. Currently ISE uses a Java based provisioning which became messy when Apple removed the native Java application. With ISE 1.3 it will be moved to a .dmg based deployment which will make things much easier. However, the whole on-boarding process (outside of java) is pretty slick and user friendly. You can do it via single or dual SSIDs and tie the on-boarding to the users' AD credentials. You will need a SCEP/NDES server.

The MDM (IMO) makes the deployment even easier and some of the providers out there can now integrate directly with the CA server without the need of SCEP/NDES server.

Other than that, you can look into "Apple's Configurator" but I have not used it in the past so I am not sure what are its capabilities. I don't believe that the AnyConnect client has any options to auto enroll a certificate. 

You can have a manual process where the users must go and request the cert, download it, install it along with the trusted root but as you said that is not ideal and should be avoided. 

Hope this helps!

 

Thank you for rating helpful posts!

andrew.chappelle Fri, 10/24/2014 - 19:46
User Badges:

Hi Neno,

Thanks a lot for your feedback!

I wanted to go down the BYOD portal path, but the customer feels that they shouldn't have to; these are corporate assets after all.  I think this is going to become a business policy discussion with them rather than technical.  I just wanted to make sure i wasn't missing any, easier options - I'm a PC, not a Mac.

Again, thanks for taking the time to reply,

Andrew

 

nspasov Fri, 10/24/2014 - 20:21
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Yeah, unfortunately business don't see it that way and they believe that MACs are enterprise ready :) That is why I have one myself as I have to test these policies in my lab :)

Best regards, 

Neno

Actions

This Discussion