topic Network Setup Assistant Certificate Issue in Network Access Control

Network Setup Assistant Certificate Issue

chrisvanwyk — Thu, 28 Sep 2017 07:54:12 GMT

When the network setup assistant run how does is select and push the correct certificate to a machine?

Even in the BYOD setup when you select Certificate group tag the self signed is used. Deleted the self sign and the public certificate is used now. Users still get promoted to install the ROOT certificate even though this cert is a public cert with the ROOT certificate installed on the machine. How do I trouble shoot this so there is almost no user interaction for this. The browser does not have any issued on the portal when you register your device is only when the network setup assistant runs.

Re: Network Setup Assistant Certificate Issue

Jason Kunst — Thu, 28 Sep 2017 11:58:55 GMT

Yes if you replace your ISE cert you need to use it for your portals

This should be explained in the admin guide

What operating system are you using?

It sounds like it’s Apple iOS

Apple unfortunately has to accept the cert even though it’s a well known one, when you start the process you must accept it

Also if you are running multiple psns the best practice regardless is to use a certificate with a wildcard in the SAN so when you roam between psns you’re not required to accept the cert at every new radius server seen, this is also in the admin guide

Please see our BYOD Page off http://cs.co/ISE-community for more info

Re: Network Setup Assistant Certificate Issue

chrisvanwyk — Thu, 28 Sep 2017 12:32:13 GMT

The correct cert is tagged for portal use. The issue is not the portal it is the network setup assistant that you download. When it installs the native supplicant/profile it pushes a certificate to the machine. How do set that part?

Re: Network Setup Assistant Certificate Issue

hslai — Fri, 29 Sep 2017 02:52:03 GMT

This is how it working today. ISE can't check or assume the client device has the root certificate for ISE EAP server, so it will prompt to install it regardless.

Re: Network Setup Assistant Certificate Issue

chrisvanwyk — Fri, 29 Sep 2017 10:22:19 GMT

I see even when you have selected not to prompt the user it still pops up. Well suppose the client will have to live with it.

Re: Network Setup Assistant Certificate Issue

hslai — Mon, 02 Oct 2017 20:15:28 GMT

Yes.

The Windows-only option "Do not prompt user to authorize new servers or trusted certification authorities" is for after BYOD and certificate provisioning and during EAP-TLS.