Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2299
Views
0
Helpful
3
Replies

EAP-TLS using iPhone (onboarded by Azure MDM)

Go to solution
aravikumar
Level 1
Level 1

‎08-08-2019 07:30 AM - edited ‎02-21-2020 11:08 AM

Hello All,

 

We were testing “MDM onboarded mobile device connecting to 802.1x SSID use case” in our environment. The user certificate was pushed from MDM to the test mobile endpoint along with the 802.1x settings (EAP-TLS). While connecting the endpoint to the  802.1x configured SSID, the endpoint was unable to join the network and therefore it failed authentication. The reason is that  ISE was not receiving the user certificate that was configured from the endpoint during the certificate exchange. We verified  this with TAC by doing a packet capture on ISE. But the user certificate was installed on the endpoint and is signed by both the root CA  and the intermediate CA. In this case the test endpoint is iPhone. Is iPhone rejecting the certificate presented by ISE?

 

Thanks,

 

Aravind Ravikumar.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-08-2019 07:42 AM

My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-08-2019 07:42 AM

My past experience has indicated that you have to push the root, intermediate, and the ISE cert down to the iphone with the MDM or the iphone won't trust it. This typically manifests as repeated authentication attempts where the logs indicate the client stopped responding during eap negotiation. It will restart at the radius timeout configured on the WLC, such as every 5 seconds.
0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to Damien Miller

‎08-08-2019 07:47 AM

Thank you for your response. By ISE cert you mean exporting the system certificates (configured for EAP) and pushing it down to the iPhone along with the root and intermediate cert?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to aravikumar

‎08-08-2019 12:34 PM

Yes, the system cert or certs used for eap.

I've yet to find a way around pushing those with eap-tls on Apple devices.
0 Helpful
Customers Also Viewed These Support Documents