ClearPass BYOD : Basics to implement ClearPass + Airwatch + ADCS for EAP-TLS

Active Directory Certificate Services

 

Active Directory Certificate Services (ADCS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

 

Following link explains the features and installation of ADCS https://technet.microsoft.com/en-us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx.

 

Airwatch Mobile Device Management

 

AirWatch is a Mobile Device Management (MDM) service that will allow us to provide better security for smartphones, tablets and most mobile devices that will connect to the WUSM-Secure WiFi network. Airwatch has been selected as the enterprise solution to manage mobile devices. It will allow WUSM to provide better security for smartphones, tablets and most mobile devices using a mobile operating system that will connect to the WUSM-Secure WiFi network. In addition, AirWatch will help WUSM comply with federal and state regulations. The Encryption Subcommittee chaired by the FPP Board recommended an enterprise solution to provide consistent and timely reporting for compliance.

 

Simple Certificate Enrollment Protocol

 

Simple Certificate Enrollment Protocol (SCEP) is a protocol used for enrollment and other Public Key Infrastructure (PKI) operations.

Following link explains SCEP: http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html#anc0

The EAP-TLS Authentication Protocol

 

The Extensible Authentication Protocol (EAP), defined in RFC 3748,  provides support for multiple authentication methods.  Transport Layer Security (TLS) provides for mutual authentication, integrity-protected cipher suite negotiation, and key exchange between two endpoints.  .

 

The following link explains EAP-TLS: https://tools.ietf.org/html/rfc5216

 

 BYOD SSID Flow:

 

CPPMandMDMintegrationtutorialblog

  • By now we would assume that the ADCS integration with Airwatch is done .
  • The Client would have a Airwatch agent that would be able to pull the configuration related to the device from Airwatch
  • Client Creates a CSR and forwards to the Airwatch , which in turn reaches out to ADCS to get it signed.
  • The MI pushes this certificate along with the BYOD SSID profile on the Client devices.
  • The Device connects to BYOD SSID performing EAP-TLS authentication.
  • The integration with ClearPass and Airwatch we would be able to fetch the required attributes and assign appropriate policy.

 

Implementation:

 

Step 1: Active Directory Certificate Services installation

The following link explains this https://technet.microsoft.com/en-us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx

 

 

Step2: Integration of Airwatch with ADCS using SCEP and push the client certificates and Wireless profile on the clients

Below link explains this http://pubs.vmware.com/vidm/index.jsp?topic=%2Fcom.vmware.wsair-administration%2FGUID-C0308F39-AC0F-42F6-B672-1C8D3BFEDE26.html

 

 

Step 3: Configure the wireless controller to Broadcast the SSID with EAP-TLS

 

Step 4: Configure a service, roles, required enforcement profiles on ClearPass.

 

Hope this was helpful ! Cheers !

Sushanth M

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Wireless Survey

Table of contents: The document covers what is a wireless survey, why wireless survey, the