VMware Workspace ONE Community
sbenkel
Enthusiast
Enthusiast
‎05-27-2020 01:51 AM
Jump to solution

Microsoft CA Certificate Wifi Acces & Cisco ISE (ADCS via DCOM / NDES via SCEP ?!?)

Hi everybody.

i´m struggling with the task to set up Certificate based authentication with a Microsoft Root CA and cisco ISE as the authenticator - never done something like this before.

The goal is the following:

Certificate based authentication of the mobile devices over the cisco ISE Cluster as an authenticator with Airwatch & Microsoft CA.

I just want to implement a simple certificate based authentication with a root ca + a device based certificate?

Now i read a lot about ADCS via DCOM and NDES via SCEP and so on but im not sure which technology or setting i should use for my usecase.

AD CS via DCOM

NDES via SCEP

What steps should be done to achive a certificate based wifi authentication like planned?

1.   In each case i need a Microsoft certifcate authority (CA)

2.   Duplicate/Create a Certificate Template in the CA + activate it

3.   Configure CA and the certificate template in WS One so that Workspace ONE UEM can retrieve a certificate from a CA

4.  Configure the certificate template (request template) in Airwatch

I have seen different setings for certificates:

In the Profile Settings (IOS/Android) i can configure Credentials Payload

pastedImage_3.png

Also in the Wi-Fi Paylod in the Profile Settings i can add Trusted Server Certificate Names and see Trusted Certificates.

Im not sure how everything works together and which configuration is rearly neccesary. I´m still on research for everything but maybe someone done this before and could give me a push in the right direction? I already read the existing postings to this topic but couldn´t figure out the right information.

If someone has some experience and is willing to share with me than i would realy be thankful for!

Cheers and thanks a lot

Sven

Labels (1)
Labels
1 Solution

Accepted Solutions
RogerDeane
VMware Employee
VMware Employee
‎05-27-2020 05:14 AM
Jump to solution

Sven,

I did a lot of work integrating Cisco ISE and AirWatch many years ago so hopefully this will help.

If at all possible, use ADCS via DCOM instead of NDES.  NDES/SCEP is not nearly as robust as ADCS via DCOM and in my opinion much harder to setup and get working.   ADCS via DCOM is usually very simple.

I would highly recommend getting cert based authentication working on your WiFi network prior to introducing Workspace ONE into the equation.  You need to setup the authentication methods in your WiFi network (if using Cisco this would be in the controller).   This means creating a certificate template in ADCS that matches the rules you setup in the RADIUS server (Cisco ISE).   I'm sure Cisco has a ton of documentation on how to set this up.   Remember that Workspace ONE is just a method of delivering a certificate to the device, it doesn't play a role in the authentication and authorization of the certificate.   Once you have cert based auth working on the WiFi network then you can configure Workspace ONE to deliver the certificate and configure the WiFi network on the device.

The second part of the integration with ISE is using enrollment and compliance as a means to get access to the corporate network.   Cisco and VMware have worked together to create a set of APIs that are used to validate a device is enrolled and compliant in Workspace ONE before the ISE will grant that device permission to access the network.   These are completely separate functions, you can do one without the other.   Cert Auth is relatively easy, integrating and configuring ISE to check device status with Workspace ONE is not too hard but a bit more complicated.

Hopefully this helps.   I can dig up some old documents that may contain more information, if I can find them I will attach them to this post.

Roger

View solution in original post

9 Replies
RogerDeane
VMware Employee
VMware Employee
‎05-27-2020 05:14 AM
Jump to solution

Sven,

I did a lot of work integrating Cisco ISE and AirWatch many years ago so hopefully this will help.

If at all possible, use ADCS via DCOM instead of NDES.  NDES/SCEP is not nearly as robust as ADCS via DCOM and in my opinion much harder to setup and get working.   ADCS via DCOM is usually very simple.

I would highly recommend getting cert based authentication working on your WiFi network prior to introducing Workspace ONE into the equation.  You need to setup the authentication methods in your WiFi network (if using Cisco this would be in the controller).   This means creating a certificate template in ADCS that matches the rules you setup in the RADIUS server (Cisco ISE).   I'm sure Cisco has a ton of documentation on how to set this up.   Remember that Workspace ONE is just a method of delivering a certificate to the device, it doesn't play a role in the authentication and authorization of the certificate.   Once you have cert based auth working on the WiFi network then you can configure Workspace ONE to deliver the certificate and configure the WiFi network on the device.

The second part of the integration with ISE is using enrollment and compliance as a means to get access to the corporate network.   Cisco and VMware have worked together to create a set of APIs that are used to validate a device is enrolled and compliant in Workspace ONE before the ISE will grant that device permission to access the network.   These are completely separate functions, you can do one without the other.   Cert Auth is relatively easy, integrating and configuring ISE to check device status with Workspace ONE is not too hard but a bit more complicated.

Hopefully this helps.   I can dig up some old documents that may contain more information, if I can find them I will attach them to this post.

Roger

chengtmskcc
Expert
Expert
‎05-27-2020 06:47 AM
Jump to solution

Sven, I wrote a blog post on this setup not too long ago. Check it out and see if it helps with your setup as well.

https://bit.ly/3gssRtq

RogerDeane
VMware Employee
VMware Employee
‎05-27-2020 07:26 AM
Jump to solution

@chengtmskcc - Great blog post.   The document that you were referring to on the support site is the one I wrote and was trying to find!  LOL!  Small World.  And I worked with the guy at Cisco to create the first document you linked to, unfortunately he is no longer there and as you pointed out, additional documents were not created.  Thanks for creating the blog, very helpful.   If you just want to do cert auth on the WiFi network you don't need to setup all the integration shown in the blog, that is to take full advantage of the ISE/UEM integration.   I would highly recommend doing the integration, it makes for a very powerful solution.

Roger

chengtmskcc
Expert
Expert
‎05-27-2020 07:55 AM
Jump to solution

Hey Roger. Thanks for the compliment. I actually wrote that post last year but didn't get to publish it until now hoping Sven and others may find it useful.

sbenkel
Enthusiast
Enthusiast
‎06-03-2020 07:11 AM
Jump to solution

Thank you so much chengtmskcc,

with the article we could get further in the proccess. Thanks for sharing your experience in your blog - awesome job!

And sorry for the delayed answer. I was full with work and couldn´t breath

sbenkel
Enthusiast
Enthusiast
‎06-03-2020 07:12 AM
Jump to solution

Thank you RogerDeane for the Explanation. This helped a lot!

chengtmskcc
Expert
Expert
‎06-03-2020 07:14 AM
Jump to solution

Hey don't sweat it. We are all in this together! Smiley Happy

sbenkel
Enthusiast
Enthusiast
‎06-03-2020 07:16 AM
Jump to solution

Alright  -  Thanks a lot Smiley Happy ❤️

0 Kudos
Ramkumara11
Enthusiast
Enthusiast
‎07-21-2020 10:02 AM
Jump to solution

Hope all of you are safe and people are subscribed to this thread.

We are trying to push our office Wi-Fi via the MSFT PKI profile.

The profile gets pushed but the WiFi never connects to and just keeps looping.

Can some one in this group share me the working WiFi profile screenshot via MSFT CA?

Pls blank out ur company information, no issues Smiley Happy

0 Kudos