Showing results for 
Search instead for 
Did you mean: 

BYOD iOS/Android profiles - EAP-TLS when ISE using EAP System certificate signed by different Root CA than is in BYOD profile

Filip Po

Dear community,

I've many endpoints based on iOS and Android OS in the BYOD environment. With certificates in the profile pushed to the endpoint, there is a part of the profile, which also contains the issuer Root CA certificate of the ISE's EAP System certificate. ISE is 2.6p7.


EndPoint itself has a certificate issued by ISE CA. But ISE, for the EAP-TLS the EAP, uses certificate issued by another (external) CA. This ISE's EAP System certificate needs to be changed to the new one, and is signed by another (new) Root CA. So endpoint will be able to trust the new EAP System certificate during the handshake procedure. Due to a lack of a new Root CA certificate on the endpoint, the connection of the endpoint to the BYOD SSID not work properly and fail.


Is it possible to send the full certificate chain during the initial handshake, containing the new Root CA certificates? Will endpoint work with that change?


In the ISE's menu Trusted certificates chain, under particular Root CA certificate is a checkbox:

Trust for certificate based admin authentication
Will this option makes ISE send the whole chain? Will the endpoint trust the new ISE's EAP certificate instead of that which is in the pushed BYOD profile?
For example, I attached iOS profile and arrow points to the Root CA certificate which should not be used anymore due a new Root CA and new EAP System certificate of the ISE.
1 Accepted Solution

Accepted Solutions

Client device can only have one profile for a given Wi-Fi. IOW, you can't have two different Wi-Fi profile for the same SSID. Also, on Android you need to select Root CA for a given SSID so you can't tie two root to a single Wi-Fi profile.

Yes, ISE can only support single EAP certificate, but if this is temporary, you can bring up another ISE instance with different EAP certificate for the separate SSID. Once you have migrated all users, you can decommission one of the ISE instance and the SSID.

View solution in original post

3 Replies 3

Cisco Employee
Cisco Employee

You will need to go through the BYOD flow to get proper certificate chain. ISE will send the whole chain during authentication but if client doesn't trust it due to mis-match, authentication will fail. You can overcome this by going through the flow again so client and ISE matches.