topic Re: Client behavior with dot1x connecting to ISE requires user to accept certificate in Network Access Control

Client behavior with dot1x connecting to ISE requires user to accept certificate

rhuel.phils — Wed, 28 Mar 2018 08:13:18 GMT

Guys,

Our scenario here when a mobile device IOS/Android connect to our wireless first time they need to accept the Trust certificate.

Is there a way to disable the issue of certificate to a particular SSID but the device still login using 802.x?

Regards,

Ruel

Re: ISE Certificate disable

Jason Kunst — Wed, 28 Mar 2018 12:11:25 GMT

iOS devices will allows require you to manually trust a certificate for the first connection (even if it’s well known), this is apples decision, the only way around that is to push a profile to it (via BYOD process on ISE or mdm enrollment) this kinda defeats the purpose of easy connection

I haven’t played around with Android in a while

You can not disable it, it’s part of dot1x communication to trust the certificate presented from the AAA server

Also when roaming to another ISE psn the user would have to do this again unless you have deployed a well known certificate with a wildcard in the SAN or a certificate with all of the ISE psn names prepopulated

Here is some good reading on the matter

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID121

Re: Client behavior with dot1x connecting to ISE requires user to accept certificate

paul — Wed, 28 Mar 2018 13:20:10 GMT

If you use an MDM to manage these mobile devices and push out the SSID and trust certs they shouldn't see the cert warning. I am guessing these aren't managed devices though.