Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
5
Helpful
7
Replies

ISE 2.4 internal CA issues two certs for each client onboarded

Go to solution
Arne Bier
VIP
VIP

‎10-09-2018 02:59 PM

Hello

 

I was testing Wireless BYOD in my lab ISE 2.4 patch 3 and I noticed that each time I on-boarded my iPhone, ISE issued two certs for the device.  Is this normal?

 

ISE 2 certs.PNG

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-12-2018 04:28 AM

This is by design. The iOS flow utilizes two certificates and the one shown with proper x.509 fields that matches the EAP certificate template is the one the endpoint uses for authentication. It was decided to show both certificates in the ISE UI as both are related to the flow.

View solution in original post

7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-11-2018 05:57 AM

Arne how many profiles do you have assigned to the endpoint?

 

I am thinking you might have the default profile and another profile for NSP enabled at same time

 
When I have run the secure access wizard I have seen this output displayed since it creates a new NSP but doesn’t delete the old one 
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎10-11-2018 05:58 PM

Hi Jason

 

We definitely only have one profile associated as shown below.  I can't figure out where ISE populates the Issued To "SERIALNUMBER...." stuff. What is that?  I don't know how I would even configure that in ISE because it's not part of the standard certificate profile.

 

 

ISE BYOD weirdness.png

 

 

And this is the cert profile we use in the lab - the Subject is always hard code to include username and all the usual organisational stuff.  I have no option to include a SERIALNUMBER here.  It seems like a bug because ISE should not be creating certs with such a Subject (unless there is a bug in the supplicant provisioning code)

 

ISE cert profile iptel.PNG

 

Preview file
21 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎10-11-2018 06:30 PM

Please open a tac case to investigate
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎10-11-2018 08:56 PM

I'll see if I can get around to that.  It's a lab and I don't have a support contract for ISE.  I was hoping someone in the forum could confirm whether they see the same thing?

I tested with Windows 10 and it's not a problem.  It's an issue with iOS or the iOS onboarding.  iOS 12.0.x

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-12-2018 04:28 AM

This is by design. The iOS flow utilizes two certificates and the one shown with proper x.509 fields that matches the EAP certificate template is the one the endpoint uses for authentication. It was decided to show both certificates in the ISE UI as both are related to the flow.

Go to solution
Arne Bier
VIP
VIP
In response to howon

‎10-12-2018 06:06 AM

@howon Is this by Apple design? Weird because on the iOS device i can not find the other weird looking cert. Where does it live? I don’t understand what this second cert is used for. 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Arne Bier

‎10-12-2018 03:47 PM

Yes, this is by Apple's design. It is not visible from the profile screen but it is required to establish trust and for ISE to be able to push WiFi settings and actual signed certificate for network authentication.

0 Helpful
Customers Also Viewed These Support Documents