https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4089640#M560556 <P>(updating the thread to help others)</P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: -webkit-standard; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">This behavior is for DOT1X only and not applicable to Guest/CWA flow</SPAN>.</P> Wed, 20 May 2020 22:14:56 GMT musultan 2020-05-20T22:14:56Z https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4088172#M560489 <P><SPAN style="caret-color: #000000; color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration: none; display: inline !important; float: none;">For the Guest/CWA flow, does Apple iOS devices needs to ACCEPT/Validate the publicly trusted certificates like PEAP or 802.1x ?</SPAN></P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration: none; display: inline !important; float: none;">Reference <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html#pgfId-141382" target="_self">Link</A>: </SPAN>When Apple iOS devices use Protected Extensible Authentication Protocol (PEAP) with Cisco ISE or 802.1x, certificate warnings might be displayed even for publicly trusted certificates.</P> <P>&nbsp;</P> <P>Another Reference <A href="https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897" target="_self">Link</A>:&nbsp;<SPAN style="caret-color: #000000; color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration: none; display: inline !important; float: none;">When an iOS client first communicates to a PSN it will not explicitly trust the PSN certificate, even though a trusted Certificate Authority has signed the certificate.</SPAN></P> <DIV style="-webkit-user-select: all; color: #000000; background-color: #ffffff; caret-color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">&nbsp;</DIV> <DIV style="-webkit-user-select: all; color: #000000; background-color: #ffffff; caret-color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"><SPAN style="caret-color: #000000; color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration: none; display: inline !important; float: none;">Does this limitation applicable to Guest/CWA flow for iOS devices or not ?<BR /></SPAN></DIV> <DIV style="-webkit-user-select: all; color: #000000; background-color: #ffffff; caret-color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Please advise.</DIV> <DIV style="-webkit-user-select: all; color: #000000; background-color: #ffffff; caret-color: #000000; font-family: -apple-system, 'Segoe UI', 'Segoe UI Emoji', sans-serif, Meiryo; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 300; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">&nbsp;</DIV> Mon, 18 May 2020 19:11:03 GMT https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4088172#M560489 musultan 2020-05-18T19:11:03Z https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4089107#M560534 <P>Any update on this ?</P> Wed, 20 May 2020 06:45:00 GMT https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4089107#M560534 musultan 2020-05-20T06:45:00Z https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4089640#M560556 <P>(updating the thread to help others)</P> <P>&nbsp;</P> <P><SPAN style="caret-color: #000000; color: #000000; font-family: -webkit-standard; font-size: medium; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline !important; float: none;">This behavior is for DOT1X only and not applicable to Guest/CWA flow</SPAN>.</P> Wed, 20 May 2020 22:14:56 GMT https://community.cisco.com/t5/network-access-control/does-ios-devices-needs-to-accept-the-public-signed-cert-in-guest/m-p/4089640#M560556 musultan 2020-05-20T22:14:56Z