Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
1
Helpful
2
Replies

Client behavior with dot1x connecting to ISE requires user to accept certificate

Go to solution
rhuel.phils
Level 1
Level 1

‎03-28-2018 01:13 AM

Guys,

Our scenario here when a mobile device IOS/Android connect to our wireless first time they need to accept the Trust certificate.

Is there a way to disable the issue of certificate to a particular SSID but the device still login using 802.x?

Regards,

Ruel

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-28-2018 05:11 AM

iOS devices will allows require you to manually trust a certificate for the first connection (even if it’s well known), this is apples decision, the only way around that is to push a profile to it (via BYOD process on ISE or mdm enrollment) this kinda defeats the purpose of easy connection

I haven’t played around with Android in a while

You can not disable it, it’s part of dot1x communication to trust the certificate presented from the AAA server

Also when roaming to another ISE psn the user would have to do this again unless you have deployed a well known certificate with a wildcard in the SAN or a certificate with all of the ISE psn names prepopulated

Here is some good reading on the matter

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID121

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-28-2018 05:11 AM

iOS devices will allows require you to manually trust a certificate for the first connection (even if it’s well known), this is apples decision, the only way around that is to push a profile to it (via BYOD process on ISE or mdm enrollment) this kinda defeats the purpose of easy connection

I haven’t played around with Android in a while

You can not disable it, it’s part of dot1x communication to trust the certificate presented from the AAA server

Also when roaming to another ISE psn the user would have to do this again unless you have deployed a well known certificate with a wildcard in the SAN or a certificate with all of the ISE psn names prepopulated

Here is some good reading on the matter

https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID121

0 Helpful

Go to solution
paul
Level 10
Level 10

‎03-28-2018 06:20 AM

If you use an MDM to manage these mobile devices and push out the SSID and trust certs they shouldn't see the cert warning.  I am guessing these aren't managed devices though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents