iPhone not trusting certificate pushed by Intune for ISE Authenticatio

latenaite2011 · ‎11-08-2022

Does anyone know why the iPhone doesn't trust the CA trust certified pushed by Intune (while it works fine if it is added manually)?

We're getting 12521 EAP-TLSA failed SSL/TLS handshake after a client alert in Cisco ISE as misconfigured supplicant and there is no Radius Live log because the iPhone never successfully goes through the three-way TLS handshake.

Other debug errors:

SSL alert: code=0x100=256 ; source=remote ; type=warning ; message="close notify.(null):0 error:00000000:lib(0):func(0):reason(0) [error=0 lib=0 func=0 reason=0]"

Does anyone have any suggestions for this?

ammahend · ‎11-08-2022

not clear on the question, can you clarify

who issued cert to iPhone?

who issued cert for EAP authentication to ISE ?

is the root certificate chain for CA issuing certificate to iPhone installed in ISE trusted certificate store ?

is the root certificate chain for CA issuing certificate to ISE installed in iPhone trusted certificate store ?

-hope this helps-

latenaite2011 · ‎11-08-2022

Thanks Ammahend for the quick reply. See my responses inline:

who issued cert to iPhone? Microsoft internal CA Server and they used WiFi Profile created on Intune to push the profile to the iPhone

who issued cert for EAP authentication to ISE ? Microsoft internal CA Server

is the root certificate chain for CA issuing certificate to iPhone installed in ISE trusted certificate store ? Yes, pushed via the Wifi Profile via Intune

is the root certificate chain for CA issuing certificate to ISE installed in iPhone trusted certificate store ? Yes, pushed via the Wifi Profile via Intune

ammahend · ‎11-09-2022

after pushing the client certificate + root certificate + eap-tls network profile, are you able to verify its pushed properly on iphone under general>profile ? and looks same as pushed manually ?

-hope this helps-

jdomin01sa · ‎09-11-2023

We are also seeing the same problem as described above. We have an intune mdm deployment. All trusted certificates from the internal PKI infrastructure appear in the device system trusted key chain and the certificate for the device is issued via SCEP successfully under "General\Profile\Management Profile\Certificates". When the device attempts to connect to the 802.1x enabled SSID the device immediately shows that the ISE server certificate is NOT trusted, but the issuing certificate authority and root for the ISE servers certificates exists within the device key chain system trusted root store. Has anyone seen this behavior and how did you overcome the issue so that the wireless device can join the SSID without user intervention and manually trusting the certificate from the ISE server? Any help on this is appreciated.

craiglebutt · ‎09-11-2023

Are all the certs in the trusted section of wifi config on intune?

jdomin01sa · ‎09-11-2023

Yes, we just a few minutes ago figured out the issue. Within Intune you can specify which servers to trust as "Certificate Server Names". In this section we added "*.domainname.com" and that resolved the issue inside the WIFI Profile for Intune that gets pushed down to the Apple Devices. Thank you for reaching out.

Sam1979de · ‎09-18-2023

So you kept the names for your ISE nodes and added the *.domain.com as an additional row?
But the names of your ISE nodes are also added as FQDN?

jdomin01sa · ‎09-18-2023

Within the Intune MDM profile settings, we added the trusted domain to be "*.domainname.<suffix>". that did the trick. As to your other question about adding hte ISE nodes with their FQDN, we tested adding all the ISE PSN nodes as trusted, but that did not resolve the prompting to trust the certificate issues we were seeing on the IOS devices. I hope this helps?