02-06-2014 03:09 PM - edited 03-10-2019 09:21 PM
I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
I hope you can help me to clarify my doubts.
Regards.
Daniel Escalante
02-07-2014 04:43 PM
ISE Case: SR 6628070423 Android Proviosning does not apply certificate axians
See the demo video Android End User Experience
around 02:32 to 02:47 showing the client identity certificate installing process.
Please continue working with TAC and ESC, who would further feedback to the product teams when needed.
02-07-2014 05:05 PM
Do you have a link to this video ?
Sent from Cisco Technical Support iPhone App
02-12-2014 07:52 PM
Client Provisioning for Android you can refer thease guides:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide