2 people found this helpful
I did a lot of work integrating Cisco ISE and AirWatch many years ago so hopefully this will help.
If at all possible, use ADCS via DCOM instead of NDES. NDES/SCEP is not nearly as robust as ADCS via DCOM and in my opinion much harder to setup and get working. ADCS via DCOM is usually very simple.
I would highly recommend getting cert based authentication working on your WiFi network prior to introducing Workspace ONE into the equation. You need to setup the authentication methods in your WiFi network (if using Cisco this would be in the controller). This means creating a certificate template in ADCS that matches the rules you setup in the RADIUS server (Cisco ISE). I'm sure Cisco has a ton of documentation on how to set this up. Remember that Workspace ONE is just a method of delivering a certificate to the device, it doesn't play a role in the authentication and authorization of the certificate. Once you have cert based auth working on the WiFi network then you can configure Workspace ONE to deliver the certificate and configure the WiFi network on the device.
The second part of the integration with ISE is using enrollment and compliance as a means to get access to the corporate network. Cisco and VMware have worked together to create a set of APIs that are used to validate a device is enrolled and compliant in Workspace ONE before the ISE will grant that device permission to access the network. These are completely separate functions, you can do one without the other. Cert Auth is relatively easy, integrating and configuring ISE to check device status with Workspace ONE is not too hard but a bit more complicated.
Hopefully this helps. I can dig up some old documents that may contain more information, if I can find them I will attach them to this post.
@chengtmskcc - Great blog post. The document that you were referring to on the support site is the one I wrote and was trying to find! LOL! Small World. And I worked with the guy at Cisco to create the first document you linked to, unfortunately he is no longer there and as you pointed out, additional documents were not created. Thanks for creating the blog, very helpful. If you just want to do cert auth on the WiFi network you don't need to setup all the integration shown in the blog, that is to take full advantage of the ISE/UEM integration. I would highly recommend doing the integration, it makes for a very powerful solution.
Hey Roger. Thanks for the compliment. I actually wrote that post last year but didn't get to publish it until now hoping Sven and others may find it useful.
Thank you so much chengtmskcc,
with the article we could get further in the proccess. Thanks for sharing your experience in your blog - awesome job!
And sorry for the delayed answer. I was full with work and couldn´t breath
Thank you RogerDeane for the Explanation. This helped a lot!
Hey don't sweat it. We are all in this together!
Alright - Thanks a lot <3
Hope all of you are safe and people are subscribed to this thread.
We are trying to push our office Wi-Fi via the MSFT PKI profile.
The profile gets pushed but the WiFi never connects to and just keeps looping.
Can some one in this group share me the working WiFi profile screenshot via MSFT CA?
Pls blank out ur company information, no issues