Hi everybody.
i´m struggling with the task to set up Certificate based authentication with a Microsoft Root CA and cisco ISE as the authenticator - never done something like this before.
The goal is the following:
Certificate based authentication of the mobile devices over the cisco ISE Cluster as an authenticator with Airwatch & Microsoft CA.
I just want to implement a simple certificate based authentication with a root ca + a device based certificate?
Now i read a lot about ADCS via DCOM and NDES via SCEP and so on but im not sure which technology or setting i should use for my usecase.
What steps should be done to achive a certificate based wifi authentication like planned?
1. In each case i need a Microsoft certifcate authority (CA)
2. Duplicate/Create a Certificate Template in the CA + activate it
3. Configure CA and the certificate template in WS One so that Workspace ONE UEM can retrieve a certificate from a CA
4. Configure the certificate template (request template) in Airwatch
I have seen different setings for certificates:
In the Profile Settings (IOS/Android) i can configure Credentials Payload
Also in the Wi-Fi Paylod in the Profile Settings i can add Trusted Server Certificate Names and see Trusted Certificates.
Im not sure how everything works together and which configuration is rearly neccesary. I´m still on research for everything but maybe someone done this before and could give me a push in the right direction? I already read the existing postings to this topic but couldn´t figure out the right information.
If someone has some experience and is willing to share with me than i would realy be thankful for!
Cheers and thanks a lot
Sven
Sven,
I did a lot of work integrating Cisco ISE and AirWatch many years ago so hopefully this will help.
If at all possible, use ADCS via DCOM instead of NDES. NDES/SCEP is not nearly as robust as ADCS via DCOM and in my opinion much harder to setup and get working. ADCS via DCOM is usually very simple.
I would highly recommend getting cert based authentication working on your WiFi network prior to introducing Workspace ONE into the equation. You need to setup the authentication methods in your WiFi network (if using Cisco this would be in the controller). This means creating a certificate template in ADCS that matches the rules you setup in the RADIUS server (Cisco ISE). I'm sure Cisco has a ton of documentation on how to set this up. Remember that Workspace ONE is just a method of delivering a certificate to the device, it doesn't play a role in the authentication and authorization of the certificate. Once you have cert based auth working on the WiFi network then you can configure Workspace ONE to deliver the certificate and configure the WiFi network on the device.
The second part of the integration with ISE is using enrollment and compliance as a means to get access to the corporate network. Cisco and VMware have worked together to create a set of APIs that are used to validate a device is enrolled and compliant in Workspace ONE before the ISE will grant that device permission to access the network. These are completely separate functions, you can do one without the other. Cert Auth is relatively easy, integrating and configuring ISE to check device status with Workspace ONE is not too hard but a bit more complicated.
Hopefully this helps. I can dig up some old documents that may contain more information, if I can find them I will attach them to this post.
Roger
Sven,
I did a lot of work integrating Cisco ISE and AirWatch many years ago so hopefully this will help.
If at all possible, use ADCS via DCOM instead of NDES. NDES/SCEP is not nearly as robust as ADCS via DCOM and in my opinion much harder to setup and get working. ADCS via DCOM is usually very simple.
I would highly recommend getting cert based authentication working on your WiFi network prior to introducing Workspace ONE into the equation. You need to setup the authentication methods in your WiFi network (if using Cisco this would be in the controller). This means creating a certificate template in ADCS that matches the rules you setup in the RADIUS server (Cisco ISE). I'm sure Cisco has a ton of documentation on how to set this up. Remember that Workspace ONE is just a method of delivering a certificate to the device, it doesn't play a role in the authentication and authorization of the certificate. Once you have cert based auth working on the WiFi network then you can configure Workspace ONE to deliver the certificate and configure the WiFi network on the device.
The second part of the integration with ISE is using enrollment and compliance as a means to get access to the corporate network. Cisco and VMware have worked together to create a set of APIs that are used to validate a device is enrolled and compliant in Workspace ONE before the ISE will grant that device permission to access the network. These are completely separate functions, you can do one without the other. Cert Auth is relatively easy, integrating and configuring ISE to check device status with Workspace ONE is not too hard but a bit more complicated.
Hopefully this helps. I can dig up some old documents that may contain more information, if I can find them I will attach them to this post.
Roger
Sven, I wrote a blog post on this setup not too long ago. Check it out and see if it helps with your setup as well.
@chengtmskcc - Great blog post. The document that you were referring to on the support site is the one I wrote and was trying to find! LOL! Small World. And I worked with the guy at Cisco to create the first document you linked to, unfortunately he is no longer there and as you pointed out, additional documents were not created. Thanks for creating the blog, very helpful. If you just want to do cert auth on the WiFi network you don't need to setup all the integration shown in the blog, that is to take full advantage of the ISE/UEM integration. I would highly recommend doing the integration, it makes for a very powerful solution.
Roger
Hey Roger. Thanks for the compliment. I actually wrote that post last year but didn't get to publish it until now hoping Sven and others may find it useful.
Thank you so much chengtmskcc,
with the article we could get further in the proccess. Thanks for sharing your experience in your blog - awesome job!
And sorry for the delayed answer. I was full with work and couldn´t breath
Thank you RogerDeane for the Explanation. This helped a lot!
Hey don't sweat it. We are all in this together!
Alright - Thanks a lot ❤️
Hope all of you are safe and people are subscribed to this thread.
We are trying to push our office Wi-Fi via the MSFT PKI profile.
The profile gets pushed but the WiFi never connects to and just keeps looping.
Can some one in this group share me the working WiFi profile screenshot via MSFT CA?
Pls blank out ur company information, no issues