Currently Being ModeratedJan 23, 2013 10:57 AM (in response to davidrendall)
Once you have configured the SCEP payload in Profile Manger you should be able to choose that SCEP as the authentication mechanism in the Network payload. Whith that in place, the device should pull the cert from SCEP when the user attempts to connect to the Wi-Fi network.
Currently Being ModeratedJan 23, 2013 11:24 AM (in response to pbeninate)
Interesting, thanks for the reply. Do you mean that the wireless access point somehow allows the connection to the SCEP server in order to issue the certificate, prior to then using the certificate to authenticate to IAS? I didn't know it could do that. Any thoughts on how I can resolve the issue of getting SCEP to request a user certificate for a specific AD user?
Currently Being ModeratedJan 23, 2013 11:36 AM (in response to davidrendall)
No, that's not exactly right. All you'd be doing is configuring the 802.1x supplicant to obtain a cert from NDES. Once obtained, it presents the cert to the AP and on through to IAS.
Currently Being ModeratedJan 23, 2013 1:35 PM (in response to pbeninate)
Ah, that's what I thought. So it's still chicken and egg - how to get a certificate to authenticate to wifi when I can't connect to wifi to reach the SCEP server? And how to get a specific user certificate from SCEP? I was really hoping the OS X Server could take care of all this stuff before sending the configuration profile to the device. Thanks for your help.
Currently Being ModeratedJan 25, 2013 6:32 AM (in response to davidrendall)
You could setup an unprotected enrollment network and add the dvices to that. The problem you will have though is there is no way to pass user creds. on the iPad when you use SCEP so you could not request a specific user cert. I just went through this whole process and unless you have a full fledged MDM like AirWatch or something you are out of luck
Currently Being ModeratedJan 25, 2013 6:43 AM (in response to rpatrick2282)
Thanks very much for the reply, it's a great help to know that it isn't possible so I won't pursue that solution any further. Could I trouble you to briefly describe how Airwatch solves this problem? It's not out of the question for us to buy Airwatch or MobileIron or something like that, if it's necessary.
Currently Being ModeratedJan 25, 2013 8:42 AM (in response to davidrendall)
We are not running it yet but I am believe that when you setup a user in airwatch or another MDM and you install the agent on a device the user has to authenticate with AD creds, so then you can configure it to pull a cert from your SCEP server using those creds and it will then pull a user cert. instead of a generic certificate. Obviously that is a pretty dumbed down explination but in a nutshell that is how it is going to work.
Currently Being ModeratedJan 25, 2013 9:28 AM (in response to rpatrick2282)
Thanks for the advice. I think I'll get an Airwatch trial and see if it does the job. But it's 5:30pm on a Friday so I'm off home now!