https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442886#M536794 <HTML><HEAD></HEAD><BODY><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Hi all,</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">A lot of iPhones and iPads has been provisioned by ISE with NSP. This works fine and everyone is happy. Now comes the time to renew the EAP certificate of the ISE installation.</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">The new certificate has the same common name and the same root CA, but another intermediate/issuing CA.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">When the EAP certificate is changed on ISE, the provisioned I devices are unable to connect to the network again, until the provisioned profile on the device is uninstalled and the device is reprovisioned.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">If we test on a manual configured device, the device is also unable to connect to the wireless, but in this case it is enough to just accept the new certificate.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Are there any workarounds to this issue, so the endusers only has to accept the new certificate or do nothing at all?</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Best regards</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Tue</P></BODY></HTML> Tue, 06 Dec 2016 09:37:31 GMT tuenoerg 2016-12-06T09:37:31Z https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442886#M536794 <HTML><HEAD></HEAD><BODY><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Hi all,</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">A lot of iPhones and iPads has been provisioned by ISE with NSP. This works fine and everyone is happy. Now comes the time to renew the EAP certificate of the ISE installation.</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">The new certificate has the same common name and the same root CA, but another intermediate/issuing CA.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">When the EAP certificate is changed on ISE, the provisioned I devices are unable to connect to the network again, until the provisioned profile on the device is uninstalled and the device is reprovisioned.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">If we test on a manual configured device, the device is also unable to connect to the wireless, but in this case it is enough to just accept the new certificate.</P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Are there any workarounds to this issue, so the endusers only has to accept the new certificate or do nothing at all?</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Best regards</P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;">Tue</P></BODY></HTML> Tue, 06 Dec 2016 09:37:31 GMT https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442886#M536794 tuenoerg 2016-12-06T09:37:31Z https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442887#M536795 <HTML><HEAD></HEAD><BODY><P>Tue, can you provide the details on the setup? What ISE version with patch when the certificates were issued and what version are they on now? Is it using internal CA or using SCEP for BYOD?</P></BODY></HTML> Tue, 06 Dec 2016 21:37:38 GMT https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442887#M536795 howon 2016-12-06T21:37:38Z https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442888#M536796 <HTML><HEAD></HEAD><BODY><P>Should be working as intended. The NSP Profile should provision trust certificates to the Device, if you replace the trust chain while renewing the certificate of the ISE the device isn't aware of the new trust chain and restricts the communication.</P></BODY></HTML> Wed, 07 Dec 2016 07:52:18 GMT https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442888#M536796 Oliver Laue 2016-12-07T07:52:18Z https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442889#M536797 <HTML><HEAD></HEAD><BODY><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN lang="EN-US" style="color: #1f497d;">The iDevices are primary provisioned from ISE 1.2, but also 1.3 and 1.4. Currently the ISE is running 2.1 patch 1</SPAN></P><P></P><P style="font-size: 11pt; font-family: Calibri, sans-serif; color: #000000;"><SPAN lang="EN-US" style="color: #1f497d;">They are SCEP enrolled from a MS infrastructure</SPAN></P></BODY></HTML> Thu, 08 Dec 2016 07:03:25 GMT https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442889#M536797 tuenoerg 2016-12-08T07:03:25Z https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442890#M536798 <HTML><HEAD></HEAD><BODY><P>Tue, if still having issues and if not done already please contact TAC for further assistance on this.</P></BODY></HTML> Thu, 08 Dec 2016 19:42:08 GMT https://community.cisco.com/t5/network-access-control/eap-cert-change-problems-on-apple-ios-devices/m-p/3442890#M536798 howon 2016-12-08T19:42:08Z