12-03-2017 06:41 AM
Hi,
I am doing a POC for my customer on ISE 2.2 patch 4. We tried on BYOD provisioning flow using ISE as CA on a Windows 10 endpoint connected to Cisco 2960S switch.
The provisioning process completed successfully, and I can see that the certificate is issued by ISE to the endpoint. However, when I verified in the endpoint, I can’t find it installed in any certificate store (machine or user).
Can anybody give me a light on how to troubleshoot this issue ? Appreciate any input.
Thank you,
Wiyandi
Solved! Go to Solution.
12-04-2017 06:01 PM
If the windows user itself is not a local admin user, then the certificate is installed under the certificate store of the local admin user whose credential is used when prompted for UAC. I would suggest either to use the local admin user or add the windows user to the local admin group.
12-03-2017 01:09 PM
Please check out the how to guides for BYOD for step by step procedures using certificates and for on-boarding.
Also I am assuming that after the registration, the endpoint was able to access the network successfully.
ISE Design & Integration Guides
If you can authenticate successfully I dont see a problem. Make sure you are logging in as administrator for opening local and machine cert.
-Krishnan
12-03-2017 05:36 PM
Hi Krishan,
Thanks.
The problem is that although Cisco Network Assistant show as completed, but authentication using EAP-TLS fails. I don't even see there is a RADIUS authentication attempt using certificate.
12-04-2017 06:01 PM
If the windows user itself is not a local admin user, then the certificate is installed under the certificate store of the local admin user whose credential is used when prompted for UAC. I would suggest either to use the local admin user or add the windows user to the local admin group.
12-12-2017 07:53 AM
Hi hslai,
Thank you. You are right.
So, if customer do not have any CA / PKI setup,I presume that ISE as a CA can’t be used as an alternative for issuing client certificates because company controlled machines where user normally do not have admin right to the machine. Am I right ?
12-12-2017 07:56 AM
ISE internal CA is to be used for our BYOD automated process for machines where users have rights to install certs otherwise you need an way to automate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide