cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4142
Views
0
Helpful
3
Replies

ISE - Best way to distribute certificates to Mac

I have a customer that has users with company-issued MacBook Pros.  They want to implement ISE for Wireless 802.1X access control, using EAP-TLS.  The challenge is certificate distribution to the Mac client device.  The customer's preference is to have it as automated as possible - much like with an AD GPO for the Windows machines.

I've thought of three options:

  • Point them to a Self-registration portal and have the device go through an NSP/BYOD process to get the cert on there (seems unnecessarily complex)
  • Anyconnect loaded on the Mac to get the cert (is this possible??)
  • Manually install the root certificate and then request/install the user certificate (what they want to avoid)

Which (if any) of those options is most reasonable, or is there a better way?

thanks in advance,

Andrew

 

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hi Andrew-

I have done many deployments in the past where customer had MAC and wanted to on-board them with certificates. I have used both ISE and an MDM to perform this function. Currently ISE uses a Java based provisioning which became messy when Apple removed the native Java application. With ISE 1.3 it will be moved to a .dmg based deployment which will make things much easier. However, the whole on-boarding process (outside of java) is pretty slick and user friendly. You can do it via single or dual SSIDs and tie the on-boarding to the users' AD credentials. You will need a SCEP/NDES server.

The MDM (IMO) makes the deployment even easier and some of the providers out there can now integrate directly with the CA server without the need of SCEP/NDES server.

Other than that, you can look into "Apple's Configurator" but I have not used it in the past so I am not sure what are its capabilities. I don't believe that the AnyConnect client has any options to auto enroll a certificate. 

You can have a manual process where the users must go and request the cert, download it, install it along with the trusted root but as you said that is not ideal and should be avoided. 

Hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hi Andrew-

I have done many deployments in the past where customer had MAC and wanted to on-board them with certificates. I have used both ISE and an MDM to perform this function. Currently ISE uses a Java based provisioning which became messy when Apple removed the native Java application. With ISE 1.3 it will be moved to a .dmg based deployment which will make things much easier. However, the whole on-boarding process (outside of java) is pretty slick and user friendly. You can do it via single or dual SSIDs and tie the on-boarding to the users' AD credentials. You will need a SCEP/NDES server.

The MDM (IMO) makes the deployment even easier and some of the providers out there can now integrate directly with the CA server without the need of SCEP/NDES server.

Other than that, you can look into "Apple's Configurator" but I have not used it in the past so I am not sure what are its capabilities. I don't believe that the AnyConnect client has any options to auto enroll a certificate. 

You can have a manual process where the users must go and request the cert, download it, install it along with the trusted root but as you said that is not ideal and should be avoided. 

Hope this helps!

 

Thank you for rating helpful posts!

Hi Neno,

Thanks a lot for your feedback!

I wanted to go down the BYOD portal path, but the customer feels that they shouldn't have to; these are corporate assets after all.  I think this is going to become a business policy discussion with them rather than technical.  I just wanted to make sure i wasn't missing any, easier options - I'm a PC, not a Mac.

Again, thanks for taking the time to reply,

Andrew

 

Yeah, unfortunately business don't see it that way and they believe that MACs are enterprise ready :) That is why I have one myself as I have to test these policies in my lab :)

Best regards, 

Neno

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: