Apple Devices not trusting public CA signed cert when connect 802.1X

kshah2589 · ‎05-03-2024

Hello,

We have installed the public CA signed cert in the ISE nodes.

this is for BYOD devices which we are not managing so whenever apple devices trying to connect Wi-Fi using 802.1X auth they still need to manually trust the certificate for connection. we don't have the same problem with Android/Windows devices.

Let me know if you guys have any suggestions.

Regards,

Kunal Shah

marce1000 · ‎05-03-2024

- FYI : https://community.cisco.com/t5/network-access-control/ios-wireless-users-being-prompted-to-trust-public-certificate/m-p/3826323#M474846

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Ingram · ‎05-03-2024

@kshah2589 iDevices (iPad's/iPhones) have to manually Trust the certificates for each PSN.

Refer to the Cisco Live presentation BRKSEC-2234

You can resolve this by using a WildSAN or MultiSAN certificate, the same certificate is used by all PSNs for the EAP authentication.

kshah2589 · ‎05-03-2024

We are using MultiSAN certificate with same certificate installed in both PSN but still getting an error.

MHM Cisco World · ‎05-03-2024

Sorry can you more elaborate

How many PSN you have

What is CN and SAN you use in your PSN identity Cert

Thanks

MHM

kshah2589 · ‎05-03-2024

We have 2 PSN in our environment one in east coast and second in west coast , CN = abc.domain.com and SAN1 = abc.domain.com(first PSN) and SAN2 = xyz.domain.com(second PSN)

MHM Cisco World · ‎05-03-2024

OK, can you try this
add new test WLAN and add first PSN only as AAA server and check if the macOS can connect or not.
if it can connect then issue with SAN of Cert

MHM

kshah2589 · ‎05-03-2024

Thanks for suggestions but Android/Windows doesn't have problem. Do you still want to me test?