cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

92
Views
5
Helpful
2
Replies

IPhones problem with ISE authentication

Hi all,

I have a problem with iphones about authenticating them against ISE. I have recently deployed wireless with Mobility Express Access Points. I have created several SSIDs one for corporate computers for authenticating using Chaining and another for mobile phones just with enterprise authentication. The problem is Androids pass authentication successfully but Apple devices not. I see in ISE strange error. Below you can see it as well. I was going to open TAC case but thought to ask from the forum beforehand.

Capture.JPG

I am not sure why IPhones try to authenticate using EAP-Fast isntead of PEAP. 

Hope someone will help.

Thanks in advance!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: IPhones problem with ISE authentication

Looks like your IPhones are not configured to send crypto binding TLV. Suggest you to check the EAP-FAST settings on the IPhone. If you have provisioned the settings through apple configurator 2, please send the screenshots of the profile as well. If you think that your IPhone is supposed to do PEAP and not EAP-FAST, then it definitely is a configuration issue on the IPhone.
Highlighted

Re: IPhones problem with ISE authentication

Yes, that is surely configuration error of Apple devices. Unfortunately, I do not have MAC in hand so that I will use configurator. Instead I created separate Policy Set with condition of particular SSID which accepts only PEAP in allowed protocols. In that way I could force Iphones use PEAP not EAP-FAST. Sometimes just posting question here makes me find solution :) Thanks anyway

2 REPLIES 2
Cisco Employee

Re: IPhones problem with ISE authentication

Looks like your IPhones are not configured to send crypto binding TLV. Suggest you to check the EAP-FAST settings on the IPhone. If you have provisioned the settings through apple configurator 2, please send the screenshots of the profile as well. If you think that your IPhone is supposed to do PEAP and not EAP-FAST, then it definitely is a configuration issue on the IPhone.
Highlighted

Re: IPhones problem with ISE authentication

Yes, that is surely configuration error of Apple devices. Unfortunately, I do not have MAC in hand so that I will use configurator. Instead I created separate Policy Set with condition of particular SSID which accepts only PEAP in allowed protocols. In that way I could force Iphones use PEAP not EAP-FAST. Sometimes just posting question here makes me find solution :) Thanks anyway