https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488114#M519669 <HTML><HEAD></HEAD><BODY><P>The TAC came back and said I should not use internal ISE CA or an intermediate cert.&nbsp; Instead I should just use the internal cert that handles the ISE management, dot1x and portal functions.&nbsp; When I did that I was able to register my apple device.&nbsp; They provided a workable solution.&nbsp; I'm good for now.</P></BODY></HTML> Mon, 20 Nov 2017 21:39:07 GMT aprildanos 2017-11-20T21:39:07Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488109#M519641 <HTML><HEAD></HEAD><BODY><P>2 node deployment.&nbsp; Cannot get my iPhone to register to ISE BYOD portal.&nbsp; Fails when installing Profile Service with an invalid server certificate. </P><P></P><P>Have tried:</P><P></P><P>1) Active Directory Server as the Root and ISE as a Subordinate CA </P><P>2) ISE is the Root CA</P><P></P><P>Either way it fails at the install Profile Service part.&nbsp; The profile is green and says it has been verified. Windows SPW works fine.&nbsp; </P><P></P><P>I have gone into Settings &gt;&nbsp; About &gt; etc on the phone and trusted the ISE root certificate.&nbsp; Running the logs on iOS console have not yielded any information. Was getting same results on iOS 10.3.</P><P></P><P>The ISE is trying to install 4 certs: Endpoints, ISE Root, ISE Services and ISE SubCA</P><P></P><P>The iPhone did register on time with my AD server as the Root CA over ISE but that was only once.</P><P></P><P>Have TAC case open and making no headway other than to possibly recommend I call Apple.</P><P></P><P>Do you have any suggestions as I am at the end of the line to get ISE BYOD and Apple working.</P></BODY></HTML> Mon, 20 Nov 2017 20:38:56 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488109#M519641 aprildanos 2017-11-20T20:38:56Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488110#M519644 <HTML><HEAD></HEAD><BODY><P>I would recommend you escalate with the TAC.</P><P></P><P>Make sure you are on the latest patch as well.</P><P></P><P>You maybe using a certificate that the apple ios device doesn’t like.</P><P></P><P>Out of curiosity what vendors well know cert are you using? I assume you are using a well known cert?</P></BODY></HTML> Mon, 20 Nov 2017 20:47:04 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488110#M519644 Jason Kunst 2017-11-20T20:47:04Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488111#M519648 <HTML><HEAD></HEAD><BODY><P>Have you also tried using the internal CA on ISE and not using an external PKI? You will have better results using the default settings</P></BODY></HTML> Mon, 20 Nov 2017 20:52:28 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488111#M519648 Jason Kunst 2017-11-20T20:52:28Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488112#M519655 <HTML><HEAD></HEAD><BODY><P>I did try using the internal ISE CA. That was my second choice. First Microsoft and then ISE by itself.&nbsp; Not well-known signed certificate.&nbsp; I am on the latest ISE patch.&nbsp; </P><P></P><P>Per TAC engineer, ISE BYOD and Apple are not supported when ISE provides SCEP services.&nbsp;&nbsp; Their recommendation, and only way to get it working, is have my internal Microsoft CA be the SCEP server.&nbsp; This is because Apple supports 3 cert chain or less.&nbsp; ISE adds 4 certs when being Root authority and 5 certs when acting as an Intermediate.&nbsp; Per TAC, apple does not like that. </P><P></P><P>Curious thing is the certificate profile was accepted once.&nbsp; But don't remember what happened to make that happen. </P><P></P><P>Looking for help from the community as I do not want to set up my AD server as a SCEP server but seem to have no choice.&nbsp; </P></BODY></HTML> Mon, 20 Nov 2017 21:00:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488112#M519655 aprildanos 2017-11-20T21:00:22Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488113#M519661 <HTML><HEAD></HEAD><BODY><P>You need to escalate to the TAC duty manager this is incorrect. ISE internal CA with apple BYOD are most definitely supported. We have this running in all our demos as well.</P><P></P><P>I would suggest you deploy a well-known certificate, otherwise you’re onboarding of apple devices will not flow correctly.</P><P></P><P>Recommend checking out this demo as well where you can see a working setup in action. You can login with your CCO ID to a working ISE setup. If you have an AP you can even connect to the setup and try it out.</P><P>https://dcloud2-rtp.cisco.com/content/demo/363207?returnPathTitleKey=favourites-view</P><P></P><P>there is only 3 certs in the chain with internal CA setup</P><P>Admin node is the ROOT</P><P>Policy services is Node-ca (signed by root)</P><P>Policy services is the sub-ca (signed by sub-ca)</P></BODY></HTML> Mon, 20 Nov 2017 21:16:29 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488113#M519661 Jason Kunst 2017-11-20T21:16:29Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488114#M519669 <HTML><HEAD></HEAD><BODY><P>The TAC came back and said I should not use internal ISE CA or an intermediate cert.&nbsp; Instead I should just use the internal cert that handles the ISE management, dot1x and portal functions.&nbsp; When I did that I was able to register my apple device.&nbsp; They provided a workable solution.&nbsp; I'm good for now.</P></BODY></HTML> Mon, 20 Nov 2017 21:39:07 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488114#M519669 aprildanos 2017-11-20T21:39:07Z https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488115#M519674 <HTML><HEAD></HEAD><BODY><P>Ok glad you have it running. Keep in mind you will need to deploy a well known cert in your setup for it to scale and work in production.</P><P></P><P>ISE with its internal CA for BYOD is the recommended way for deploying in production.</P><P></P><P>There might be some semantic issues going on here as well.</P></BODY></HTML> Mon, 20 Nov 2017 21:51:17 GMT https://community.cisco.com/t5/network-access-control/ise-2-2p4-apple-iphone7-vers-11-byod-will-not-register/m-p/3488115#M519674 Jason Kunst 2017-11-20T21:51:17Z