Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2515
Views
10
Helpful
3
Replies

iPhone and Android connections via EAP-TLS

Go to solution
s1nsp4wn
Level 1
Level 1

‎07-19-2019 07:13 AM

Thanks to the kind folks here, I've successfully configured ISE integration with my Cisco WLC to use EAP-TLS as an authentication method for iPhone and Anroid phones, but I have two problems I've yet to see an answer for in Apple and Google forums. Hoping someone has tried EAP-TLS with mobile phones here in prod:

1 - How do I get the client cert that is already installed on my iPhone to be a choice for 'identity' when I try signing on to the SSID? The cert came from the same CA as ISE and is in my Profile and Device Management store, but doesn't appear as a choice when I try signing on to that SSID upon hitting the controller.
2 - For the Android, I'm assuming the 'CA Certificate' means server-side certificate? For user certificate there's 'Please Select' but I think it's asking for manual input. What is needed here?

 

Anybody got any experience or links they can lend?

 

Thanks!

ISE 2.4
Cisco 55xx WLC
iPhone IOS 12.3.1
Android Pixel 2 PQ Build

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-19-2019 01:57 PM

Point 1 : Apple Configurator 2 lets you configure an EAP-TLS profile with an identity certificate.
Point 2 : CA certificate is your server's certificate issuer's certificate and not the server certificate itself. If its a self signed certificate on the server then both are the same. For user certificate, one will have to choose a cert from existing identity certificates. This i believe is a one time thing for that SSID.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-19-2019 01:57 PM

Point 1 : Apple Configurator 2 lets you configure an EAP-TLS profile with an identity certificate.
Point 2 : CA certificate is your server's certificate issuer's certificate and not the server certificate itself. If its a self signed certificate on the server then both are the same. For user certificate, one will have to choose a cert from existing identity certificates. This i believe is a one time thing for that SSID.
0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Surendra

‎07-19-2019 02:00 PM

I actually got somewhere on this earlier.  I already had what I needed trusted, but the problem was iPHone only accepts pfx or p12.  Once I changed format that issue was solved.  I still haven't gotten around to Android yet.  My current problem is that my client cert isn't accepted and is referred to as 'unsupported'.   I did some digging around and found out that 'Key Usage' on the client cert must say either Client Authentication or have all usages enabled.  I'll ask my sysadmin to push a cert out to me from the same CA ISE uses to see if that works.

0 Helpful

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight
In response to s1nsp4wn

‎02-04-2020 08:18 AM

Hi 

for the certificate to be pushed on Android  the latter must request for it 1st. I wonder how u (or ur sysadmin) made it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents