07-03-2019 08:34 PM
Hi experts
I’m carrying out a POC that involves single-SSID BYOD with Apple iOS 12.3.1, ISE 2.4 Patch 6 and WLC 8.8.100 and hitting into an issue where there doesn’t appear to be a setting on an Apple iPhone on 12.3.1 to accept the root certificate pushed down from ISE. I'm not using any MDM and ISE is the CA that's issuing the certificate for BYOD device.
In iOS versions before 12.3.1, it appears that I can manually trust the certificate from ISE by following the steps described in https://support.apple.com/en-sg/HT204477 , and then continue with the BYOD process
In the test iPhone I had running 12.3.1 there’s no option to trust the certificate from ISE as described in the link above, and hence I’m not able to onboard the device. Any advice is appreciated.
Solved! Go to Solution.
07-04-2019 06:31 AM
07-04-2019 06:31 AM
07-04-2019 06:31 PM
Hi Surendra and Hsing-Tsu:
Thanks for your response. I understand there are 2 items downloaded to the iOS device - the wireless profile and the ISE certificate, is that correct?
Since ISE is the CA for BYOD devices in my POC, i must ensure that that SAN of the ISE certificate is populated with the FQDN?
Let me also check on the rest of the per-requisite certificate attributes as mentioned in CSCvm57650
07-05-2019 08:00 AM
... I understand there are 2 items downloaded to the iOS device - the wireless profile and the ISE certificate, is that correct?
Also some Apple iDevices, especially Apple iPhone and Apple iPod Touch, are not doing cert-based auth after CoA terminate and re-authentication, unless manually disconnect and reconnect to the Wi-Fi network.
Since ISE is the CA for BYOD devices in my POC, i must ensure that that SAN of the ISE certificate is populated with the FQDN?
Either the portal FQDN as a DNS entry in the SAN of the ISE server certificate used for the portal or wildcard entry that matches the the portal FQDN. This has been an issue observed with Google Chrome browser. I have not seen a report on BYOD Apple devices. Nonetheless, it's a general good practice.
07-04-2019 01:00 PM
In Surendra's response, most items are documented in CSCvm57650.
CSCvp54992 and CSCvp54949 are tracking some additional issues seen since Apple iOS 12.2.
07-08-2019 05:24 AM
CSCvp54992 and CSCvp54949 are marked as fixed in patch ISE 2.4 Patch 9, what is the new BYOD portal experience with iOS? Does anyone have slides?
07-08-2019 07:34 AM
I checked http://cs.co/ise-byod and found the known issues section
There is a video there. Apple unfortunately changed all these experiences. I would recommend reaching out to them as well.
I just went through onboarding with xfinity wifi and had the same experience where settings is no longer auto launch as apple requires manual intervention. seems like a bad user experience. We have sent our feedback to them as well.
07-08-2019 10:34 AM
Now that ISE 2.4 patch 9 is out can someone make a video of the BYOD for iOS 12.2 or later on ISE 2.4 patch 9? Patch 9 supposedly contained some "fixes" for this.
07-10-2019 09:31 AM
I think Jason meant this link ISE BYOD Endpoint Notes/Issues, which has a video under iOS devices > 12.2
07-11-2019 10:12 AM
@hslai wrote:
I think Jason meant this link ISE BYOD Endpoint Notes/Issues, which has a video under iOS devices > 12.2
Correct that video is what you see. i checked with engineering and there is nothing different, in CSCvp54949 BYOD flow is broken in IOS 12.2 they fixed the issue with the page timing out. We don't likely have control but are working with apple to make sure the flow gets improved where possible. Please do reach out to apple and complain as well
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide