cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
976
Views
0
Helpful
4
Replies

EAP cert change - problems on Apple IOS devices

tuenoerg
Cisco Employee
Cisco Employee

Hi all,

A lot of iPhones and iPads has been provisioned by ISE with NSP. This works fine and everyone is happy. Now comes the time to renew the EAP certificate of the ISE installation.

The new certificate has the same common name and the same root CA, but another intermediate/issuing CA.

When the EAP certificate is changed on ISE, the provisioned I devices are unable to connect to the network again, until the provisioned profile on the device is uninstalled and the device is reprovisioned.

If we test on a manual configured device, the device is also unable to connect to the wireless, but in this case it is enough to just accept the new certificate.

Are there any workarounds to this issue, so the endusers only has to accept the new certificate or do nothing at all?

Best regards

Tue

1 Accepted Solution

Accepted Solutions

Oliver Laue
Level 4
Level 4

Should be working as intended. The NSP Profile should provision trust certificates to the Device, if you replace the trust chain while renewing the certificate of the ISE the device isn't aware of the new trust chain and restricts the communication.

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

Tue, can you provide the details on the setup? What ISE version with patch when the certificates were issued and what version are they on now? Is it using internal CA or using SCEP for BYOD?

The iDevices are primary provisioned from ISE 1.2, but also 1.3 and 1.4. Currently the ISE is running 2.1 patch 1

They are SCEP enrolled from a MS infrastructure

Tue, if still having issues and if not done already please contact TAC for further assistance on this.

Oliver Laue
Level 4
Level 4

Should be working as intended. The NSP Profile should provision trust certificates to the Device, if you replace the trust chain while renewing the certificate of the ISE the device isn't aware of the new trust chain and restricts the communication.