Security

I'm interested in automatically onboarding iPads over the Internet after MDM enrollment.  We want these iPads to have automatic access to the corporate network when they're visiting and keep them from having to onboard manually.  I read Danny's tech article on SCEP MDM integration and understand that what I want is possible with SCEP & an MDM solution.  However, I have reservations about exposing Clearpass to the Internet in order for the remote device to hit the SCEP URL and download its cert.  What ports are even needed?  How do you secure access only to the SCEP service?

 

If anyone has configured SCEP and allowed remote access, I'd be interested to know about your implementation and the security you implemented.

Jay,

 

When I set this up and tested it I only NAT'd 443 through to my LAB from one of our PUBLIC IP's. 

 

In addition beyond how you might add protection with your firewall/IPS for the traffic I suggest you tie down  and look to restrict access to CPPM using the Application ACL as shown in the picture.

 

 

HTH.

Thanks Danny.

If you block external access to all of the services listed in your
screenshot, is SCEP still available or is SCEP part of one of those
services?

Remote onboard may not be something I'm able to sell to myself or the
company. Feeling a bit out of my comfort zone, unfortunately.

The SCEP enrollment is apart of OnBoard but I was just pointing out that you may/might want to lockdown some of the other CPPM apps. You can also add a PSK to the enrollment process as well as deny/allow based upon the source-subnet......

 

 

could you utilize some open/PSK network that employees must connect to and this is LOCKED-DOWN to just 443 traffic for the correctly profiled devices and this becomes the source to grab their corporate certs they can then use for eap-tls?

 

Or do you want them to just enroll and get their cert over 3G/4G/LTE.... harder to know the SRC IP@ here I guess, but not impossible.

We have a guest SSID that also serves as an onboarding SSID.  It could be used as you described; we'll probably do this anyway so that employees no longer have to manually onboard.  However, we still have hundreds of iPads in the field that we'd like to onboard remotely as a means of generating a user cert on the iPad that can be used for VPN.  We may just need to come up with another solution to get a cert on the devices as I'm just not very comfortable with remote SCEP now that I understand how it works.