cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2270
Views
0
Helpful
3
Replies

EAP-TLS using iPhone (onboarded by Azure MDM)

aravikumar
Level 1
Level 1

Hello All,

 

We were testing “MDM onboarded mobile device connecting to 802.1x SSID use case” in our environment. The user certificate was pushed from MDM to the test mobile endpoint along with the 802.1x settings (EAP-TLS). While connecting the endpoint to the  802.1x configured SSID, the endpoint was unable to join the network and therefore it failed authentication. The reason is that  ISE was not receiving the user certificate that was configured from the endpoint during the certificate exchange. We verified  this with TAC by doing a packet capture on ISE. But the user certificate was installed on the endpoint and is signed by both the root CA  and the intermediate CA. In this case the test endpoint is iPhone. Is iPhone rejecting the certificate presented by ISE?

 

Thanks,

 

Aravind Ravikumar.

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.

View solution in original post

3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni
My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.

Thank you for your response. By ISE cert you mean exporting the system certificates (configured for EAP) and pushing it down to the iPhone along with the root and intermediate cert?

Yes, the system cert or certs used for eap.

I've yet to find a way around pushing those with eap-tls on Apple devices.