Solved: EAP cert change - problems on Apple IOS devices

tuenoerg · ‎12-06-2016

Hi all,

A lot of iPhones and iPads has been provisioned by ISE with NSP. This works fine and everyone is happy. Now comes the time to renew the EAP certificate of the ISE installation.

The new certificate has the same common name and the same root CA, but another intermediate/issuing CA.

When the EAP certificate is changed on ISE, the provisioned I devices are unable to connect to the network again, until the provisioned profile on the device is uninstalled and the device is reprovisioned.

If we test on a manual configured device, the device is also unable to connect to the wireless, but in this case it is enough to just accept the new certificate.

Are there any workarounds to this issue, so the endusers only has to accept the new certificate or do nothing at all?

Best regards

Tue

Oliver Laue · ‎12-06-2016

Should be working as intended. The NSP Profile should provision trust certificates to the Device, if you replace the trust chain while renewing the certificate of the ISE the device isn't aware of the new trust chain and restricts the communication.

View solution in original post

howon · ‎12-06-2016

Tue, can you provide the details on the setup? What ISE version with patch when the certificates were issued and what version are they on now? Is it using internal CA or using SCEP for BYOD?

tuenoerg · ‎12-07-2016

The iDevices are primary provisioned from ISE 1.2, but also 1.3 and 1.4. Currently the ISE is running 2.1 patch 1

They are SCEP enrolled from a MS infrastructure

howon · ‎12-08-2016

Tue, if still having issues and if not done already please contact TAC for further assistance on this.

Oliver Laue · ‎12-06-2016

Should be working as intended. The NSP Profile should provision trust certificates to the Device, if you replace the trust chain while renewing the certificate of the ISE the device isn't aware of the new trust chain and restricts the communication.