cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

177
Views
0
Helpful
2
Replies

EAP-TLS error on Apple OSX

Hi,

 

I am trying to authenticate OSX clients with EAP-TLS on WiFi. 

ISE and OSX has certificates from different issuing-certificate-servers but they share root-server.

ISE is in domain.com and OSX in sub.domain.com

 

The error I am getting in ISE is "12521 EAP-TLS failed SSL/TLS handshake after a client alert". My best guess is that OSX doesnt trust ISE, but I can't figure out what settings I have to do to get it to work. 

We are using a MDM tool to deploy profiles to the OSX devices.

Have any one of you got info on what settings I have to do in OSX for it to trust ISE that has RADIUS-cert from another cert-server?

 

Regards

Philip

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: EAP-TLS error on Apple OSX

On the same thought train as hslai here. You mention an MDM, most of my clients use airwatch with their apple devices. Part of the network profile provisioning includes pushing down the root and intermediate certs down to the endpoints. In the case of iPhones, for some reason we have also had to push the server cert ISE uses, not sure why but it seemed hit or miss.
2 REPLIES 2
Cisco Employee

Re: EAP-TLS error on Apple OSX


Have any one of you got info on what settings I have to do in OSX for it to trust ISE that has RADIUS-cert from another cert-server?


In case of ad-hoc connections, macOS should have prompted the users to trust the certificate(s). For non-ad-hoc, a MDM usually is used to provision the trust and you would need to consult the admin guide of the MDM product.

For my own testing, I am using Apple Configurator 2 to create a configuration profile, which may contain the certificate chain used by ISE and explicitly trusted for a network payload.Screen Shot 2019-07-06 at 7.24.23 PM.png

Highlighted
VIP Advocate

Re: EAP-TLS error on Apple OSX

On the same thought train as hslai here. You mention an MDM, most of my clients use airwatch with their apple devices. Part of the network profile provisioning includes pushing down the root and intermediate certs down to the endpoints. In the case of iPhones, for some reason we have also had to push the server cert ISE uses, not sure why but it seemed hit or miss.