cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

681
Views
0
Helpful
6
Replies
Enthusiast

ISE 2.4 patch 6 iOS 12.2 onboarding issues

Hi,

We recently upgraded an ISE 2.2 patch 11 deployment to 2.4 patch 6.

We also changed the ISE 802.1x, Admin and Portal certificate to a public GoDaddy cert.

We restored the ISE internal CA (using the CLI application configure ISE...), and BYOD is working for most cases.

The issue that was flagged recently is that we are no longer able to onboard iOS devices.

We just tested a Windows 10 and Apple MAC OS X and both onboarded successfully.

The Apple iPad is running iOS 12.2. The iPad successfully passes PEAP authentication, downloads and installs the first profile (GoDaddy Root), then downloads a second profile named Profile Service (Cisco Systems) with contains the ISE cert (Verified in green) and its chain (3 certs from GoDaddy) + an Encrypted Profile Service https://ise-fqdn:port/auth/OTAMobileConfig?session-id=....

When installing this profile, the iPad generates a CSR and then fails. The message displayed is : Profile Installation Failed

The Registration Authority's response is invalid.

 

anyone seen a similar issue? any help would be appreciated.

I opened a TAC case and waiting for their response.

Thank you,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

 

Update from the TAC on this case. Customer is running into the following:

CSCut63262  ISE BYOD Apple iOS does not accept certificate chain with 4 certificates 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

View solution in original post

6 REPLIES 6
Cisco Employee

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Hi Patrick,

Please continue to work with the TAC. They will be able to root cause the issue for you.

Regards,
-Tim
Cisco Employee

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

 

Update from the TAC on this case. Customer is running into the following:

CSCut63262  ISE BYOD Apple iOS does not accept certificate chain with 4 certificates 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

View solution in original post

Enthusiast

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Thank you.

The customer will contact GoDaddy support or just end up generating a different certificate.

Patrick

Cisco Employee

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

thank you

Highlighted
Beginner

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Hi Jason, 

We are also hitting the same 4 chain certificate issue for ios 12.x devices ,

We have signed our csr from SSL.COM but provide us with 4 chain certificate.

Any idea how we can get 3 chain signed cert.

 

Thanks

MS

Cisco Employee

Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

I'd recommend working through the TAC and SSL.com to see how they can resolve.

Here's one link you can try the alternate at the bottom
https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html