Active Directory Certificate Services
Active Directory Certificate Services (ADCS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.
Following link explains the features and installation of ADCS https://technet.microsoft.com/en-us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx.
Airwatch Mobile Device Management
AirWatch is a Mobile Device Management (MDM) service that will allow us to provide better security for smartphones, tablets and most mobile devices that will connect to the WUSM-Secure WiFi network. Airwatch has been selected as the enterprise solution to manage mobile devices. It will allow WUSM to provide better security for smartphones, tablets and most mobile devices using a mobile operating system that will connect to the WUSM-Secure WiFi network. In addition, AirWatch will help WUSM comply with federal and state regulations. The Encryption Subcommittee chaired by the FPP Board recommended an enterprise solution to provide consistent and timely reporting for compliance.
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) is a protocol used for enrollment and other Public Key Infrastructure (PKI) operations.
Following link explains SCEP: http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html#anc0
The EAP-TLS Authentication Protocol
The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides support for multiple authentication methods. Transport Layer Security (TLS) provides for mutual authentication, integrity-protected cipher suite negotiation, and key exchange between two endpoints.  .
The following link explains EAP-TLS: https://tools.ietf.org/html/rfc5216
BYOD SSID Flow:
- By now we would assume that the ADCS integration with Airwatch is done .
- The Client would have a Airwatch agent that would be able to pull the configuration related to the device from Airwatch
- Client Creates a CSR and forwards to the Airwatch , which in turn reaches out to ADCS to get it signed.
- The MI pushes this certificate along with the BYOD SSID profile on the Client devices.
- The Device connects to BYOD SSID performing EAP-TLS authentication.
- The integration with ClearPass and Airwatch we would be able to fetch the required attributes and assign appropriate policy.
Implementation:
Step 1: Active Directory Certificate Services installation
The following link explains this https://technet.microsoft.com/en-us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx
Step2: Integration of Airwatch with ADCS using SCEP and push the client certificates and Wireless profile on the clients
Below link explains this http://pubs.vmware.com/vidm/index.jsp?topic=%2Fcom.vmware.wsair-administration%2FGUID-C0308F39-AC0F-42F6-B672-1C8D3BFEDE26.html
Step 3: Configure the wireless controller to Broadcast the SSID with EAP-TLS
Step 4: Configure a service, roles, required enforcement profiles on ClearPass.
Hope this was helpful ! Cheers !
Sushanth M