Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3150
Views
0
Helpful
3
Replies

BYOD iOS/Android profiles - EAP-TLS when ISE using EAP System certificate signed by different Root CA than is in BYOD profile

Go to solution
Filip Po
Level 1
Level 1

‎06-22-2021 12:06 AM

Dear community,

I've many endpoints based on iOS and Android OS in the BYOD environment. With certificates in the profile pushed to the endpoint, there is a part of the profile, which also contains the issuer Root CA certificate of the ISE's EAP System certificate. ISE is 2.6p7.

 

EndPoint itself has a certificate issued by ISE CA. But ISE, for the EAP-TLS the EAP, uses certificate issued by another (external) CA. This ISE's EAP System certificate needs to be changed to the new one, and is signed by another (new) Root CA. So endpoint will be able to trust the new EAP System certificate during the handshake procedure. Due to a lack of a new Root CA certificate on the endpoint, the connection of the endpoint to the BYOD SSID not work properly and fail.

 

Is it possible to send the full certificate chain during the initial handshake, containing the new Root CA certificates? Will endpoint work with that change?

 

In the ISE's menu Trusted certificates chain, under particular Root CA certificate is a checkbox:

Trust for certificate based admin authentication
 
Will this option makes ISE send the whole chain? Will the endpoint trust the new ISE's EAP certificate instead of that which is in the pushed BYOD profile?
 
For example, I attached iOS profile and arrow points to the Root CA certificate which should not be used anymore due a new Root CA and new EAP System certificate of the ISE.
 
Regards,
Filip
Preview file
1094 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Filip Po

‎06-28-2021 09:50 AM

Client device can only have one profile for a given Wi-Fi. IOW, you can't have two different Wi-Fi profile for the same SSID. Also, on Android you need to select Root CA for a given SSID so you can't tie two root to a single Wi-Fi profile.

Yes, ISE can only support single EAP certificate, but if this is temporary, you can bring up another ISE instance with different EAP certificate for the separate SSID. Once you have migrated all users, you can decommission one of the ISE instance and the SSID.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-28-2021 09:02 AM

You will need to go through the BYOD flow to get proper certificate chain. ISE will send the whole chain during authentication but if client doesn't trust it due to mis-match, authentication will fail. You can overcome this by going through the flow again so client and ISE matches.

0 Helpful

Go to solution
Filip Po
Level 1
Level 1
In response to howon

‎06-28-2021 09:36 AM

So I have to do new onboarding for all endpoints?

But I have over 300 BYOD clients.

I can not do a new SSID, because ISE does not support two EAP certificates.

It's even possible to add a new root CA to the BYOD Profile? Then new devices should have two Root CAs (old one, and new).

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Filip Po

‎06-28-2021 09:50 AM

Client device can only have one profile for a given Wi-Fi. IOW, you can't have two different Wi-Fi profile for the same SSID. Also, on Android you need to select Root CA for a given SSID so you can't tie two root to a single Wi-Fi profile.

Yes, ISE can only support single EAP certificate, but if this is temporary, you can bring up another ISE instance with different EAP certificate for the separate SSID. Once you have migrated all users, you can decommission one of the ISE instance and the SSID.

0 Helpful
Customers Also Viewed These Support Documents