Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1838
Views
0
Helpful
2
Replies

Cisco ISE 2.2 BYOD onboarding and certificates problem

Dominic Stalder (old profile)
Level 4
Level 4

‎08-10-2017 05:31 AM - edited ‎03-11-2019 12:55 AM

Hey guys

our company is using a Cisco ISE 2.2 and BYOD on a dual SSID design and so far it works good. But now I would like to use a public certificate for the captive portal and I have some problems with understanding the concept.

Actual Design

Cisco ISE 2.2

Hostname: ise-server-01.enterprise.local

Certificates:

1. Corporate PKI used as CA (named Enterprise CA, signs certificates for Domain enterprise.local)

2. Server certificate for Admin and Portal usage signed for ise-server-01.enterprise.local

3. BYOD uses ISE internal CA in standalone mode (not subordinate of Enterprise CA) to generate and sign client certificates

Goal

Use a wildcard certificate for public enterprise domain enterprise.com on BYOD captive portal, so the user does not get a certificate warning, when connecting a new device to the byod onboarding SSID.

Tested

1. Installed the Public Root CA (eg. DigiCert) on ISE Trusted Certificates store

2. Installed the wildcard certificate for *.enterprise.com on ISE for Portal usage (BYOD captive portal)

3. Configured a redirect to byod.enterprise.com, so the clients get redirected to the BYOD captive portal

-> So far, so good, the client does not get a certificate warning anymore, because the captive portal answers on byod.enterprise.com:

See attachment ise-byod-1.jpg.

When the user completes the BYOD process, the Cisco Network Assistent gets downloaded and it tries to connect to byod.enterprise.com:

See attachment ise-byod-2.jpg.

BUT now the user gets presented the ISE certificate for the Admin usage with ise-server-01.enterprise.local:

See attachment ise-byod-3.jpg.

1. Why is the Admin usage certificate presented (not even the EAP usage, because this is another / third certificate!)

2. If the user continues, a SSL error occurs while generating and creating the BYOD client certificate:

See attachment ise-byod-4.jpg.

Maybe others have to deal with this and can clearify, why the Admin usage certificate is used in this process and if I have to use the wildcard certificte *.enterprise.com as Admin usage certificate (this means, I will have to move the ISE server from domain enterprise.local to enterprise.com!)?

Thanks a lot in advance and best regards

Dominic

Labels:
Preview file
559 KB
Preview file
54 KB
Preview file
134 KB
Preview file
202 KB
0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎01-23-2018 04:36 AM

Hi Dominic,

 

I don't have a link from the official documentation, but I do have a picture from a TAC presentation regarding ISE :)

Capture15.PNG

 

 

Regards,

Octavian

0 Helpful

ipagliani
Level 1
Level 1

‎05-29-2018 03:33 PM

Ciao,

did you resolve? How ?

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents