scep

The video presents one of possible methods to tag an iDevice (eg. iPhone, iPad) as a corporate asset using a certificate. We will walk through a profile creation using an iPhone Configuration Utility and installation on an iDevice. We will be observing a device requesting a certificate through SCEP, and, once obtained, perform wireless authentication using EAP-TLS against Cisco ISE. Authorization conditions will be constructed to look for a specific Common Name (CN) on the certificate, and appropriate access will be granted upon a match. iPhone will be used for testing in this video.

The video demonstrates how to install a SSL certificate on Cisco router and ASA firewall manually and via SCEP. Windows 2008 running Enterprise CA server is used in this lab to provide auto-enrollment. For manual enrollment, a Certificate Signing Request (CSR) is created on a network device and submitted to the CA through web enrollment. The issued certificate is then imported to the device. SCEP, on the other hand, automates the enrollment process into a single command through HTTP transaction given the CA is reachable to the devices.

The video presents you with various options to implement certificate Auto-Enrollment for network devices using SCEP. By default, a one-time challenge password needs to be generated and used per network device. This can be cumbersome and impractical in case the number of device is large. An alternative is to disable the use of challenge password entirely, but this could post security concern, although is potentially desirable in lab environment. An acceptable solution might be disabling auto-approval and have the CA admin approve certificate requests manually.

The video walks you through an installation of Enterprise Certificate Authority (CA) and Network Device Enrollment Service (NDES) (aka SCEP) on a Windows 2008. We will test the server with a certificate request through web enrollment from a Windows client, as well as SCEP from a Cisco router. SCEP communication is captured and reviewed on Wireshark. At the end of the video, you should have a working CA server that you can use for certificate authentication in future labs.