https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4015279#M454404 <P>Hi guys,</P><P>&nbsp;</P><P>I've got a problem with my BYOD deployment (dual SSID) on MacOS Catalina.</P><P>Everything works fine until the Network Setup Assistant tries to download a profile.<BR />Even though both of the portals ISE uses in BYOD flow (admin &amp; client provisioning) certificates are signed by a public CA - the NSA shows a warning "the certificate is not valid".<BR />If I click "continue”, I'm able to successfully enroll certificate and join the network.</P><P><BR />When i try to connect to both these portals via safari/chrome, the certificate is validated as expected.</P><P><BR />It seems to me like the NSA doesn’t have rights to use the Mac’s certificate store.<BR />I know there are some changes for certificates in Catalina (sha1 no longer supported etc..), but our certificates seem to match these new policies.</P><P>&nbsp;</P><P>Using SP wizard version 2.7.0.1<BR />ISE Version 2.4 patch 9 and also tested with 2.6</P><P>Catalina 10.15.2</P><P>&nbsp;</P><P>I can open a TAC case, but just wanted to ask here before I do so.</P><P>Appreciate every hint <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Thank You.</P> Wed, 22 Jan 2020 08:05:52 GMT stanislav.pilat 2020-01-22T08:05:52Z https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4015279#M454404 <P>Hi guys,</P><P>&nbsp;</P><P>I've got a problem with my BYOD deployment (dual SSID) on MacOS Catalina.</P><P>Everything works fine until the Network Setup Assistant tries to download a profile.<BR />Even though both of the portals ISE uses in BYOD flow (admin &amp; client provisioning) certificates are signed by a public CA - the NSA shows a warning "the certificate is not valid".<BR />If I click "continue”, I'm able to successfully enroll certificate and join the network.</P><P><BR />When i try to connect to both these portals via safari/chrome, the certificate is validated as expected.</P><P><BR />It seems to me like the NSA doesn’t have rights to use the Mac’s certificate store.<BR />I know there are some changes for certificates in Catalina (sha1 no longer supported etc..), but our certificates seem to match these new policies.</P><P>&nbsp;</P><P>Using SP wizard version 2.7.0.1<BR />ISE Version 2.4 patch 9 and also tested with 2.6</P><P>Catalina 10.15.2</P><P>&nbsp;</P><P>I can open a TAC case, but just wanted to ask here before I do so.</P><P>Appreciate every hint <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Thank You.</P> Wed, 22 Jan 2020 08:05:52 GMT https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4015279#M454404 stanislav.pilat 2020-01-22T08:05:52Z https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4050495#M559069 <P>No one? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Mon, 23 Mar 2020 14:17:53 GMT https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4050495#M559069 stanislav.pilat 2020-03-23T14:17:53Z https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4052539#M559161 <P>IIRC... this related to the trust settings of certificates in macOS. Similar to what described at <A href="https://www.jamf.com/jamf-nation/discussions/22294/adding-a-certificate-to-the-system-keychain-set-to-always-trust" target="_self">Adding A Certificate To The System Keychain Set To Always Trust</A>&nbsp;</P> Thu, 26 Mar 2020 00:27:14 GMT https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4052539#M559161 hslai 2020-03-26T00:27:14Z https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4055587#M559267 <P>You already have a TAC case open so not going to duplicate efforts.</P> <P>See <A href="https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356" target="_self">How to Ask The Community for Help</A> &gt; <A href="https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356#toc-hId--1967577845" rel="nofollow noopener noreferrer" target="_blank">The Community is Not TAC</A></P> Tue, 31 Mar 2020 00:05:50 GMT https://community.cisco.com/t5/network-access-control/byod-certificate-issue/m-p/4055587#M559267 thomas 2020-03-31T00:05:50Z