cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

252
Views
1
Helpful
2
Replies
rhuel.phils
Beginner

Client behavior with dot1x connecting to ISE requires user to accept certificate

Guys,

Our scenario here when a mobile device IOS/Android connect to our wireless first time they need to accept the Trust certificate.

Is there a way to disable the issue of certificate to a particular SSID but the device still login using 802.x?

Regards,

Ruel

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

iOS devices will allows require you to manually trust a certificate for the first connection (even if it’s well known), this is apples decision, the only way around that is to push a profile to it (via BYOD process on ISE or mdm enrollment) this kinda defeats the purpose of easy connection

I haven’t played around with Android in a while

You can not disable it, it’s part of dot1x communication to trust the certificate presented from the AAA server

Also when roaming to another ISE psn the user would have to do this again unless you have deployed a well known certificate with a wildcard in the SAN or a certificate with all of the ISE psn names prepopulated

Here is some good reading on the matter

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID121

View solution in original post

2 REPLIES 2
Jason Kunst
Cisco Employee

iOS devices will allows require you to manually trust a certificate for the first connection (even if it’s well known), this is apples decision, the only way around that is to push a profile to it (via BYOD process on ISE or mdm enrollment) this kinda defeats the purpose of easy connection

I haven’t played around with Android in a while

You can not disable it, it’s part of dot1x communication to trust the certificate presented from the AAA server

Also when roaming to another ISE psn the user would have to do this again unless you have deployed a well known certificate with a wildcard in the SAN or a certificate with all of the ISE psn names prepopulated

Here is some good reading on the matter

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID121

View solution in original post

paul
Advocate

If you use an MDM to manage these mobile devices and push out the SSID and trust certs they shouldn't see the cert warning.  I am guessing these aren't managed devices though.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel