Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
3
Replies

BYOD Certificate Issue

Go to solution
stanislav.pilat
Level 1
Level 1

‎01-21-2020 04:51 AM - edited ‎01-22-2020 12:05 AM

Hi guys,

 

I've got a problem with my BYOD deployment (dual SSID) on MacOS Catalina.

Everything works fine until the Network Setup Assistant tries to download a profile.
Even though both of the portals ISE uses in BYOD flow (admin & client provisioning) certificates are signed by a public CA - the NSA shows a warning "the certificate is not valid".
If I click "continue”, I'm able to successfully enroll certificate and join the network.


When i try to connect to both these portals via safari/chrome, the certificate is validated as expected.


It seems to me like the NSA doesn’t have rights to use the Mac’s certificate store.
I know there are some changes for certificates in Catalina (sha1 no longer supported etc..), but our certificates seem to match these new policies.

 

Using SP wizard version 2.7.0.1
ISE Version 2.4 patch 9 and also tested with 2.6

Catalina 10.15.2

 

I can open a TAC case, but just wanted to ask here before I do so.

Appreciate every hint ;)

Thank You.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to stanislav.pilat

‎03-30-2020 05:05 PM

You already have a TAC case open so not going to duplicate efforts.

See How to Ask The Community for Help > The Community is Not TAC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
stanislav.pilat
Level 1
Level 1

‎03-23-2020 07:17 AM

No one? :)

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to stanislav.pilat

‎03-30-2020 05:05 PM

You already have a TAC case open so not going to duplicate efforts.

See How to Ask The Community for Help > The Community is Not TAC

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎03-25-2020 05:27 PM

IIRC... this related to the trust settings of certificates in macOS. Similar to what described at Adding A Certificate To The System Keychain Set To Always Trust 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents