Solved: Re: BYOD issues with Apple iOS 12.3.1, ISE 2.4 Patch 6 and WLC 8.8.100

Chian Chong Wong · ‎07-03-2019

Hi experts

I’m carrying out a POC that involves single-SSID BYOD with Apple iOS 12.3.1, ISE 2.4 Patch 6 and WLC 8.8.100 and hitting into an issue where there doesn’t appear to be a setting on an Apple iPhone on 12.3.1 to accept the root certificate pushed down from ISE. I'm not using any MDM and ISE is the CA that's issuing the certificate for BYOD device.

In iOS versions before 12.3.1, it appears that I can manually trust the certificate from ISE by following the steps described in https://support.apple.com/en-sg/HT204477 , and then continue with the BYOD process

In the test iPhone I had running 12.3.1 there’s no option to trust the certificate from ISE as described in the link above, and hence I’m not able to onboard the device. Any advice is appreciated.

Surendra · ‎07-04-2019

There have been a lot of restrictions from Apple w.r.t the certificates its devices accept. Make sure your certificates meet the following requirements :

Be signed with one of the following types of keys:

1. RSA key with a length of at least 2048 bits
2. ECC key with a size of at least 256 bits
3. The certificate's hashing algorithm must be SHA-2 with a digest length, sometimes called a "fingerprint" of at least 256 (that is, SHA-256 or greater).
4. SAN filed of the certificates in the chain should be populated with appropriate FQDN since CN is obsolete now.

Above recommendations may fix your problem.

View solution in original post

Surendra · ‎07-04-2019

There have been a lot of restrictions from Apple w.r.t the certificates its devices accept. Make sure your certificates meet the following requirements :

Be signed with one of the following types of keys:

1. RSA key with a length of at least 2048 bits
2. ECC key with a size of at least 256 bits
3. The certificate's hashing algorithm must be SHA-2 with a digest length, sometimes called a "fingerprint" of at least 256 (that is, SHA-256 or greater).
4. SAN filed of the certificates in the chain should be populated with appropriate FQDN since CN is obsolete now.

Above recommendations may fix your problem.

Chian Chong Wong · ‎07-04-2019

Hi Surendra and Hsing-Tsu:

Thanks for your response. I understand there are 2 items downloaded to the iOS device - the wireless profile and the ISE certificate, is that correct?

Since ISE is the CA for BYOD devices in my POC, i must ensure that that SAN of the ISE certificate is populated with the FQDN?

Let me also check on the rest of the per-requisite certificate attributes as mentioned in CSCvm57650

hslai · ‎07-05-2019

... I understand there are 2 items downloaded to the iOS device - the wireless profile and the ISE certificate, is that correct?

Also some Apple iDevices, especially Apple iPhone and Apple iPod Touch, are not doing cert-based auth after CoA terminate and re-authentication, unless manually disconnect and reconnect to the Wi-Fi network.

Since ISE is the CA for BYOD devices in my POC, i must ensure that that SAN of the ISE certificate is populated with the FQDN?

Either the portal FQDN as a DNS entry in the SAN of the ISE server certificate used for the portal or wildcard entry that matches the the portal FQDN. This has been an issue observed with Google Chrome browser. I have not seen a report on BYOD Apple devices. Nonetheless, it's a general good practice.

hslai · ‎07-04-2019

In Surendra's response, most items are documented in CSCvm57650.

CSCvp54992 and CSCvp54949 are tracking some additional issues seen since Apple iOS 12.2.

jasonm002 · ‎07-08-2019

CSCvp54992 and CSCvp54949 are marked as fixed in patch ISE 2.4 Patch 9, what is the new BYOD portal experience with iOS? Does anyone have slides?

Jason Kunst · ‎07-08-2019

I checked http://cs.co/ise-byod and found the known issues section

There is a video there. Apple unfortunately changed all these experiences. I would recommend reaching out to them as well.

I just went through onboarding with xfinity wifi and had the same experience where settings is no longer auto launch as apple requires manual intervention. seems like a bad user experience. We have sent our feedback to them as well.

jasonm002 · ‎07-08-2019

Now that ISE 2.4 patch 9 is out can someone make a video of the BYOD for iOS 12.2 or later on ISE 2.4 patch 9? Patch 9 supposedly contained some "fixes" for this.

hslai · ‎07-10-2019

I think Jason meant this link ISE BYOD Endpoint Notes/Issues, which has a video under iOS devices > 12.2

Jason Kunst · ‎07-11-2019

@hslai wrote:

I think Jason meant this link ISE BYOD Endpoint Notes/Issues, which has a video under iOS devices > 12.2

Correct that video is what you see. i checked with engineering and there is nothing different, in CSCvp54949 BYOD flow is broken in IOS 12.2 they fixed the issue with the page timing out. We don't likely have control but are working with apple to make sure the flow gets improved where possible. Please do reach out to apple and complain as well