View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0047 - ISE 1.1 iPhone SCEP Certificate Install with EAP-TLS

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>

The video presents one of possible methods to tag an iDevice (eg. iPhone, iPad) as a corporate asset using a certificate. We will walk through a profile creation using an iPhone Configuration Utility and installation on an iDevice. We will be observing a device requesting a certificate through SCEP, and, once obtained, perform wireless authentication using EAP-TLS against Cisco ISE. Authorization conditions will be constructed to look for a specific Common Name (CN) on the certificate, and appropriate access will be granted upon a match. iPhone will be used for testing in this video.

Note:
  • Partial configurations on Cisco ISE were performed in the previous videos.
Topic:
  • iPhone Configuration Utilities and Profile creation
  • iPhone Network/Certificate Profile
  • Windows 2008 SCEP and Certificate Template
  • Certificate Customized Common Name
  • Authentication/Authorization Policy with EAP-TLS

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

Constructing an authentication policy is very straight forward. You match wired or wireless based on the conditions already existed in the default library, and set allowed protocol, which could be either PEAP or EAP-TLS.  

Is it possible to do this with ACS 5x? I have configured the Root CA in the ACS in both Identity Stores and in Local Certificates and both checked for use with EAP trust. The issue I am having is that the ACS rejects the handshake since the IPCU self-signed CA is not in the Identity Stores as a trusted CA. I have also tried to match the authorization profile to Certificate Common Name on the configured cert from the IPCU but to no avail.

Since the iPhone obtain a certificate beforehand via IPCU and just do EAP-TLS authentication, this should work just fine with ACS, or any other RADIUS server. If you are using Microsoft CA with SCEP enabled, both iPhone and ACS certificate should be signed by the CA so they will trust each other. 

A client is requesting an Enterprise-wide cert deployment to iPhones/iPads for EAP-TLS authentication. As the Apple configuration utility is a very manual process and would be tedious to do for a few hundred users, what other methods would you suggest? I have looked at the MDM suites available but am unsure as which is a good fit to select or if there is another process to do such a deployment with ease.

Even before that, you need to decide if you want to do

1. One common certificate for all devices (ie. All you care is tagging device as corporate asset)

2. Device certificate (ie. Same as (1) but can revoke individual cert if need to, no user identity as devices might be shared)

3. User certificate (ie. User identity is tied to the device and the sole owner)

For large scale deployement, using MDM to streamline cert install is the safest bet. Some MDM is capable of integrating with 3rd party cert provider such that when a device is enrolled with MDM, it will have a cert generated and installed along with wifi profile that it can use for EAP-TLS authentication. Hope this helps.

Hi, we are trying to deploy IBM MaaS360 and a Cloud Extender with ISE integration for the EAP-TLS.
something machine cert + user cert combination is supported like a regular laptop device? can we use our corporate CA cert instead of the third party one?

We are unfamiliar with these particular vendors but they should work like any other MDM which can push device cert to devices. Machine/User cert are more for Windows computers and you need to check MDM capability if it can push those certs. For Windows domain computer, you should use GPO instead. You also need to check with the vendor if enterprise CA integration is supported.

i am searching for IOS APP Simulator like you are using in Video , but i can't found it , can you provide link for it