cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

91
Views
0
Helpful
3
Replies
Beginner

EAP-TLS using iPhone (onboarded by Azure MDM)

Hello All,

 

We were testing “MDM onboarded mobile device connecting to 802.1x SSID use case” in our environment. The user certificate was pushed from MDM to the test mobile endpoint along with the 802.1x settings (EAP-TLS). While connecting the endpoint to the  802.1x configured SSID, the endpoint was unable to join the network and therefore it failed authentication. The reason is that  ISE was not receiving the user certificate that was configured from the endpoint during the certificate exchange. We verified  this with TAC by doing a packet capture on ISE. But the user certificate was installed on the endpoint and is signed by both the root CA  and the intermediate CA. In this case the test endpoint is iPhone. Is iPhone rejecting the certificate presented by ISE?

 

Thanks,

 

Aravind Ravikumar.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

Re: EAP-TLS using iPhone (onboarded by Azure MDM)

My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.
3 REPLIES 3
Highlighted
VIP Engager

Re: EAP-TLS using iPhone (onboarded by Azure MDM)

My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.
Beginner

Re: EAP-TLS using iPhone (onboarded by Azure MDM)

Thank you for your response. By ISE cert you mean exporting the system certificates (configured for EAP) and pushing it down to the iPhone along with the root and intermediate cert?

VIP Engager

Re: EAP-TLS using iPhone (onboarded by Azure MDM)

Yes, the system cert or certs used for eap.

I've yet to find a way around pushing those with eap-tls on Apple devices.