A quick little reminder – the Microsoft NDES implementation requires a one-time password to enroll network devices. However this gets rather complicated because the whole BYOD concept means you do not have access to that one-time password. The administrator is not involved to get you on the network right? You get credentials and that’s all..
An adjustment needs to be made to Microsoft NDES implementation to let the Cisco ASA proxy the SCEP enrollment request.
Disabling the "one-time password" on the NDES server is configured in the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword
EnforcePassword value data is set to "0". "0" ensures no password is requested by NDES.
Another thing to keep in mind – default NDES implementation will use the “IPSEC (Offline Request)” certificate template. You need to make a decision if this is the template you want to have enrolled for those getting a BYOD certificate.
Let’s say you want some better control of the certificate getting issued. I would recommend creating a custom template. And this is a user device so lets give is the right key usage.
- Duplicate the “IPsec (Offline Request)” template – I use “User NDES”
- Modify the extensions so the extension list looks like – You don’t have to assign all of these uses, but this mirrors the most likely use cases.
- Server Authentication
- Secure Email
- Encrypting File System
- Client Authentication
- IPSec IKE Intermediate
- Adjust the certificate validity period and renewal period according to your policy for user certificates.
- Check the box for publish in Active Directory if you are using EFS
- Add the NDES service account to the security permissions on the template with “Read and Enroll” checked.
- Modify the registry key to assign what certificate is assigned during enrollment