https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893901#M471298 Point 1 : Apple Configurator 2 lets you configure an EAP-TLS profile with an identity certificate.<BR />Point 2 : CA certificate is your server's certificate issuer's certificate and not the server certificate itself. If its a self signed certificate on the server then both are the same. For user certificate, one will have to choose a cert from existing identity certificates. This i believe is a one time thing for that SSID. Fri, 19 Jul 2019 20:57:32 GMT Surendra 2019-07-19T20:57:32Z https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893587#M471297 <P>Thanks to the kind folks here, I've successfully configured ISE integration with my Cisco WLC to use EAP-TLS as an authentication method for iPhone and Anroid phones, but I have two problems I've yet to see an answer for in Apple and Google forums. Hoping someone has tried EAP-TLS with mobile phones here in prod:</P><P>1 - How do I get the client cert that is already installed on my iPhone to be a choice for 'identity' when I try signing on to the SSID? The cert came from the same CA as ISE and is in my Profile and Device Management store, but doesn't appear as a choice when I try signing on to that SSID upon hitting the controller.<BR />2 - For the Android, I'm assuming the 'CA Certificate' means server-side certificate? For user certificate there's 'Please Select' but I think it's asking for manual input. What is needed here?</P><P>&nbsp;</P><P>Anybody got any experience or links they can lend?</P><P>&nbsp;</P><P>Thanks!</P><P>ISE 2.4<BR />Cisco 55xx WLC<BR />iPhone IOS 12.3.1<BR />Android Pixel 2 PQ Build</P> Fri, 19 Jul 2019 14:13:28 GMT https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893587#M471297 s1nsp4wn 2019-07-19T14:13:28Z https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893901#M471298 Point 1 : Apple Configurator 2 lets you configure an EAP-TLS profile with an identity certificate.<BR />Point 2 : CA certificate is your server's certificate issuer's certificate and not the server certificate itself. If its a self signed certificate on the server then both are the same. For user certificate, one will have to choose a cert from existing identity certificates. This i believe is a one time thing for that SSID. Fri, 19 Jul 2019 20:57:32 GMT https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893901#M471298 Surendra 2019-07-19T20:57:32Z https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893904#M471299 <P>I actually got somewhere on this earlier.&nbsp; I already had what I needed trusted, but the problem was iPHone only accepts pfx or p12.&nbsp; Once I changed format that issue was solved.&nbsp; I still haven't gotten around to Android yet.&nbsp; My current problem is that my client cert isn't accepted and is referred to as 'unsupported'.&nbsp; &nbsp;I did some digging around and found out that 'Key Usage' on the client cert must say either Client Authentication or have all usages enabled.&nbsp; I'll ask my sysadmin to push a cert out to me from the same CA ISE uses to see if that works.</P> Fri, 19 Jul 2019 21:00:42 GMT https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/3893904#M471299 s1nsp4wn 2019-07-19T21:00:42Z https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/4023488#M471301 <P>Hi&nbsp;</P><P>for the certificate to be pushed on Android&nbsp; the latter must request for it 1st. I wonder how u (or ur sysadmin) made it.</P> Tue, 04 Feb 2020 16:18:22 GMT https://community.cisco.com/t5/network-access-control/iphone-and-android-connections-via-eap-tls/m-p/4023488#M471301 Andrii Oliinyk 2020-02-04T16:18:22Z