cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1406
Views
4
Helpful
3
Replies

ISE 1.1 'Change password on next logon' fails on iPhone / iPad

Murnanewb
Level 1
Level 1

Hello -

We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. Has anyone else encountered this? If we uncheck the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.

Thanks!

Bill

3 Replies 3

tbourguillioen
Level 1
Level 1

Hi,

I am encountering the exact same issue in our lab environment, but with AD accounts (We would like customers to be able and connect to the dot1x network with their AD credentials, and based on machine authentication they will or will not get restricted access).

Just to be clear: the change password functionality works perfect on laptops, but on ipad/android we just cannot connect to the dot1x (PEAP) network when the "change password on next login" checkbox is on.

Anyone else who can shed some light on this?

Thanks

Tom

Tom -

I worked with a Cisco engineer who duplicated the issue and suggested that I open up a TAC case. I did and they replicated the issue and stated that the issue is within the supplicant in Apple's IOS. Basically, the ISE sends a RADIUS change password request and the IOS device drops the session. They opened up a case with Apple through the developers channel and to my knowledge, nothing has been done.

We also had the issue in Android, Windows mobile and Blackberry.

Bill

Thank you for the feedback. Guess we will have to find a workaround then

Tom