Solved: Re: Certificate for BYOD

Madura Malwatte · ‎02-03-2019

ISE 2.3 patch 5

I am doing BYOD and currently the certificate that gets presents to BYOD users is the one issued by our internal PKI. So this presents an issue as the browser does not trust the CA by default (and will potentially cause issues with apple devices too). I want to change the presented certificate for byod from our internal PKI one to our public godaddy wildcard cert (currently used for portals), that will be automatically trusted by browsers / machines.

Does this mean that under System Certificates page, I need to move the "EAP Authentication" option usage to the godaddy cert? "EAP Authentication" option is currently selected under our internal PKI, but will this break internal corporate device EAP-TLS authentication if the option is now moved to the public cert?

How do I select the certificate to present just for BYOD?

Francesco Molino · ‎02-03-2019

Hi

You're talking about the certificate presented at the beginning of the process, not the certificate delivered to users right?
If so, this is the radius identity cert and yes you need to select your public CA and check the box EAP authentication.

However, just to let you know:
- even if you present a public cert, the radius identity cert isn't trusted anymore on apple devices and you'll still get the message to trust the certificate.
- on Windows 10 machines, presenting a wildcard certificate could lead you to issues as they don't support them (get these issues with multiple customers).

Better doing a public signed certificate than a wildcard one also for security purposes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Damien Miller · ‎02-03-2019

Windows 10 machines support wildcard certs just fine, I use them in nearly every deployment due to their flexibility.

The key is you can't have the wildcard in the CN, it has to be in the SAN.

Something for the OP to watch out for though is the public CA you get a certificate from. For example, Digicert High Assurance EV intermediate certs are missing from Android and Apple phones. They have the root but end up not trusting the cert issued due to this. A well known CA is critical to avoid this. Android and Apple have docs published that list the pre installed trust store which should be evaluated first.

View solution in original post

Francesco Molino · ‎02-03-2019

Hi

You're talking about the certificate presented at the beginning of the process, not the certificate delivered to users right?
If so, this is the radius identity cert and yes you need to select your public CA and check the box EAP authentication.

However, just to let you know:
- even if you present a public cert, the radius identity cert isn't trusted anymore on apple devices and you'll still get the message to trust the certificate.
- on Windows 10 machines, presenting a wildcard certificate could lead you to issues as they don't support them (get these issues with multiple customers).

Better doing a public signed certificate than a wildcard one also for security purposes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Damien Miller · ‎02-03-2019

Windows 10 machines support wildcard certs just fine, I use them in nearly every deployment due to their flexibility.

The key is you can't have the wildcard in the CN, it has to be in the SAN.

Something for the OP to watch out for though is the public CA you get a certificate from. For example, Digicert High Assurance EV intermediate certs are missing from Android and Apple phones. They have the root but end up not trusting the cert issued due to this. A well known CA is critical to avoid this. Android and Apple have docs published that list the pre installed trust store which should be evaluated first.

Madura Malwatte · ‎02-03-2019

Yes, this is the certificate presented at the start of the process, in my case the guest portal where the Network Setup Assistant is downloaded.

Will moving EAP Authentication option to the public CA break anything else that use the internal CA (such as corporate devices that use internal CA certificate for machine authentication)?

Francesco Molino · ‎02-03-2019

Changing the eap certificate won't break anything. This is a radius identity certificate that's it. Your corporate devices will still be able to authenticate.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Madura Malwatte · ‎02-04-2019

Okay so I added the eap authentication option to my public cert, but windows still doesn't seem to like it, even though the root is already included in it's trust store.

Our public cert was originally purposed for portals and it does have a wildcard in the CN (*.ise.company.com), I guess this is the reason for the above?? And I can't use a new public cert with CN ise.company.com if I have the same CN for internal wildcard cert right? So does this mean I need another public wildcard purely for eap authentication with say:

CN - byod.ise.company.com

SAN - *.ise.company.com, byod.ise.company.com

or could I just update the current public cert to CN public.ise.company.com (with SAN: *.ise.company.com, public.ise.company.com) then use it for portals and eap authentication?

hslai · ‎02-12-2019

The security warning pop-up window is normal if that is you meant by "... windows still doesn't seem to like it". As far as I know, EAP clients are not insisting the hostname to match exactly in the EAP server certificate.