Re: Apple devices don't ask to trust certificate, just an error on ISE

patoberli · ‎08-31-2021

Hi all

I've configured the ISE to do EAP-PEAP with EAP-MSCHAPv2 as an inner method. The certificate I've copied over from my old Windows NPS servers. It's a correctly externally signed one and the Apple devices work fine when the Radius on the WLC is set to the NPS.

Once I switch it to the ISE (3.0 patch 3), the Apple devices fail to authenticate. I can enter the username + password, but never get offered to accept the certificate, as I would otherwise (it's a BYOD scenario). I ignored the profile and tried to reconnect, without success. I've tested several Apple devices, all the same issue.

Android devices and Windows can connect absolutely fine though to the SSID.

The ISE shows:

12322 PEAP failed SSL/TLS handshake after a client alert

One thing that doesn't match is the hostname of the new ISE servers and the ones inside the certificate, but I'm not sure if Apple somehow validates this (I don't think it even can, as it hasn't an IP connection at that point). I did install the full chain as trusted certificates into the ISE and set this new certificate as the one for EAP Authentication.

Any ideas on how to troubleshoot this?

Dustin Anderson · ‎09-01-2021

It probably is the CN not matching, but the only way to validate would be to generate a self signed and apply it, then see if it starts to prompt.

patoberli · ‎09-20-2021

Hi, thanks for the reply.
The self signed cert indeed works. I'm now checking if I find some other way of getting this to work, as I'd prefer to not request a new certificate.

hslai · ‎09-21-2021

Try this guide from Cisco Meraki -- Advanced RADIUS and WPA2 Debugging using macOS

Recently I used a EAP server certificate from a different domain than that of my ISE server and it worked fine for me.