cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6503
Views
11
Helpful
9
Replies
Highlighted
Contributor

EAP certificate - not trusted by "some" BYOD devices?

I'm doing EAP authentication and BYOD devices are enrolled using Microsoft InTune (whereby a WiFi profile is pushed to the device, including certs, trusted certs, SSID, etc). What I am being told is that Android devices are accepting the ISE EAP certificate (its trusted after all) but iPhones/iPads always prompt the first time to accept the ISE EAP certificate - even though its in the trusted store.

I appreciate this is an ISE forum and not an Android/iDevice forum, but wondered what the forum experience is here? I heard from a colleague that iDevices don't use the trusted cert store for WiFi and that the user must validate the cert the first time whether it is trusted or not. Once trusted it is stored in the wireless profile (forever or until you remove the wireless profile).

Thoughts guys? Any other peculiarities discovered in the field with other BYOD devices not accepting EAP certificates until the user has manually accepted them?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: EAP certificate - not trusted by "some" BYOD devices?

Alright i tested it again.

On Apple iOS and macOS Devices you can publish trusted Certificates with Apple Configurator or a MDM/EMM Solution. For a WPA2 Enterprise Wireless Profile you have 2 options to avoid the certificate warnings.

1. Publish the Cert via Profile to the device, even if you are using Public Certs for Radius.

on Meraki MDM for example go to MDM - Settings choose a profile and select Credential, upload your CA Cert and give it a name. Now you can configure your wireless and set the uploaded CA as trusted for this connection.

2. Trust the Subject CN of the Radius Cert

with this option you have to enter the CN of the Radius Cert which will be trusted for the Connection.

you can also combine both methods to lockdown the profile a bit. Without any of these options the user has to click the wireless connection for the 1st time and accept the Certificate Warning.

mdm-cert.JPG

View solution in original post

9 REPLIES 9
Cisco Employee

Re: EAP certificate - not trusted by "some" BYOD devices?

If the WiFi profiles are deployed via MDM, I would not expect Apple iDevices to prompt unless the WiFi profiles not including the root certificate(s) for ISE PSNs. The prompting to trust does occur for ad-hoc connections; e.g. during single-SSID BYOD. The same observed on Apple macOS and, at times, some Windows client OS.

Recently Android 7.1.x started to mandate selecting an option for CA certificate and specifying the Domain. We've documented this in the foot-note 11 under Table 3 of Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Cisco Employee

Re: EAP certificate - not trusted by "some" BYOD devices?

Hi Darren,

iOS devices always behave this way regardless if the RADIUS server certificate is signed by a trusted authority.  When an iOS device connects to a new RADIUS server for the first time it will always prompt the end user to trust the server's certificate.  To get around the issue of having to prompt the user to accept the certificate while roaming in and ISE deployment, we recommend using wildcard certificates.

Regards,

-Tim

Contributor

Re: EAP certificate - not trusted by "some" BYOD devices?

Thanks Tim. Do get around this you can also use a single EAP certificate that is shared amongst all ISE nodes, the CN and SAN doesn't need to match the ISE PSNs so the CN can just say something like ise.eap.customerx.com - no need for wildcard masks if it is just used for EAP.

Enthusiast

Re: EAP certificate - not trusted by "some" BYOD devices?

if you are using a MDM you can publish a trusted cert CN for the Wireless Connection. If the device trusts the cert chain it will not prompt the user to accept the radius cert except it changes.

mdm-cert.JPG

if you deploy the wifi profile without this option the user will also be prompted to accept the radius cert even if  you trust the cert chain.

Contributor

Re: EAP certificate - not trusted by "some" BYOD devices?

Thanks Oliver. This conflicts to what others are saying and what my client says they saw. The MDM was publishing a trusted cert but on iOS devices they were always prompted (on the first connection) to accept the cert. The previous comments on this discussion indicate this is normal iOS behaviour - but you see otherwise in the field?

Cisco Employee

Re: EAP certificate - not trusted by "some" BYOD devices?

Hi Tim,

 

I have a customer in a very similar situation with their Apple iOS devices. Is there any to get around this problem if they're not using wildcard certificates?

Cisco Employee

Re: EAP certificate - not trusted by "some" BYOD devices?

What Oliver said is what I expected and similar to what I responded earlier.

I have not tested with MDM but used Apple Configurator 2 (or Apple iPhone Configuration Utilities for earlier Apple iOS/macOS releases) to add WiFi profiles. And I usually add the CA root certificate instead of the ISE server certificate(s) so the same profile can apply, in case ISE PSNs not using the same certificate for EAP. Last I tried that, it worked as expected and not prompting users to trust again as the trust is specified as part of the configuration profile that includes the WiFi network name(s), certificates, etc.

I could not find my test screenshots but it's similar to Steps 11 ~ 16 of Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES) – Windows PKI blog

Enthusiast

Re: EAP certificate - not trusted by "some" BYOD devices?

Alright i tested it again.

On Apple iOS and macOS Devices you can publish trusted Certificates with Apple Configurator or a MDM/EMM Solution. For a WPA2 Enterprise Wireless Profile you have 2 options to avoid the certificate warnings.

1. Publish the Cert via Profile to the device, even if you are using Public Certs for Radius.

on Meraki MDM for example go to MDM - Settings choose a profile and select Credential, upload your CA Cert and give it a name. Now you can configure your wireless and set the uploaded CA as trusted for this connection.

2. Trust the Subject CN of the Radius Cert

with this option you have to enter the CN of the Radius Cert which will be trusted for the Connection.

you can also combine both methods to lockdown the profile a bit. Without any of these options the user has to click the wireless connection for the 1st time and accept the Certificate Warning.

mdm-cert.JPG

View solution in original post

Contributor

Re: EAP certificate - not trusted by "some" BYOD devices?

Brilliant, thanks Oliver.