cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2022
Views
0
Helpful
6
Replies

ISE 2.4 patch 6 iOS 12.2 onboarding issues

Hi,

We recently upgraded an ISE 2.2 patch 11 deployment to 2.4 patch 6.

We also changed the ISE 802.1x, Admin and Portal certificate to a public GoDaddy cert.

We restored the ISE internal CA (using the CLI application configure ISE...), and BYOD is working for most cases.

The issue that was flagged recently is that we are no longer able to onboard iOS devices.

We just tested a Windows 10 and Apple MAC OS X and both onboarded successfully.

The Apple iPad is running iOS 12.2. The iPad successfully passes PEAP authentication, downloads and installs the first profile (GoDaddy Root), then downloads a second profile named Profile Service (Cisco Systems) with contains the ISE cert (Verified in green) and its chain (3 certs from GoDaddy) + an Encrypted Profile Service https://ise-fqdn:port/auth/OTAMobileConfig?session-id=....

When installing this profile, the iPad generates a CSR and then fails. The message displayed is : Profile Installation Failed

The Registration Authority's response is invalid.

 

anyone seen a similar issue? any help would be appreciated.

I opened a TAC case and waiting for their response.

Thank you,

Patrick

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

 

Update from the TAC on this case. Customer is running into the following:

CSCut63262  ISE BYOD Apple iOS does not accept certificate chain with 4 certificates 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

View solution in original post

6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee
Hi Patrick,

Please continue to work with the TAC. They will be able to root cause the issue for you.

Regards,
-Tim

Jason Kunst
Cisco Employee
Cisco Employee

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

 

Update from the TAC on this case. Customer is running into the following:

CSCut63262  ISE BYOD Apple iOS does not accept certificate chain with 4 certificates 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

Thank you.

The customer will contact GoDaddy support or just end up generating a different certificate.

Patrick

thank you

Hi Jason, 

We are also hitting the same 4 chain certificate issue for ios 12.x devices ,

We have signed our csr from SSL.COM but provide us with 4 chain certificate.

Any idea how we can get 3 chain signed cert.

 

Thanks

MS

I'd recommend working through the TAC and SSL.com to see how they can resolve.

Here's one link you can try the alternate at the bottom
https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: