Solved: Re: ISE 2.4 patch 6 iOS 12.2 onboarding issues

Patrick Moubarak · ‎04-02-2019

Hi,

We recently upgraded an ISE 2.2 patch 11 deployment to 2.4 patch 6.

We also changed the ISE 802.1x, Admin and Portal certificate to a public GoDaddy cert.

We restored the ISE internal CA (using the CLI application configure ISE...), and BYOD is working for most cases.

The issue that was flagged recently is that we are no longer able to onboard iOS devices.

We just tested a Windows 10 and Apple MAC OS X and both onboarded successfully.

The Apple iPad is running iOS 12.2. The iPad successfully passes PEAP authentication, downloads and installs the first profile (GoDaddy Root), then downloads a second profile named Profile Service (Cisco Systems) with contains the ISE cert (Verified in green) and its chain (3 certs from GoDaddy) + an Encrypted Profile Service https://ise-fqdn:port/auth/OTAMobileConfig?session-id=....

When installing this profile, the iPad generates a CSR and then fails. The message displayed is : Profile Installation Failed

The Registration Authority's response is invalid.

anyone seen a similar issue? any help would be appreciated.

I opened a TAC case and waiting for their response.

Thank you,

Patrick

Jason Kunst · ‎04-02-2019

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

Update from the TAC on this case. Customer is running into the following:

CSCut63262 ISE BYOD Apple iOS does not accept certificate chain with 4 certificates

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

View solution in original post

Timothy Abbott · ‎04-02-2019

Hi Patrick,

Please continue to work with the TAC. They will be able to root cause the issue for you.

Regards,
-Tim

Jason Kunst · ‎04-02-2019

Please work with the TAC, might be an issue with the Godaddy certificate and the its cross signing.

I had an issue with user trust cert and had to install a different chain. Its a cross signing issue and this will break Apple IOS BYOD. I had to get a different chain from the ssl.com provider for that.

You can look at the ios cert store and compare it to the chain on ISE and it will show a different signer.

Update from the TAC on this case. Customer is running into the following:

CSCut63262 ISE BYOD Apple iOS does not accept certificate chain with 4 certificates

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut63262

Patrick Moubarak · ‎04-04-2019

Thank you.

The customer will contact GoDaddy support or just end up generating a different certificate.

Patrick

Jason Kunst · ‎04-05-2019

thank you

yadavmanjits1 · ‎10-16-2019

Hi Jason,

We are also hitting the same 4 chain certificate issue for ios 12.x devices ,

We have signed our csr from SSL.COM but provide us with 4 chain certificate.

Any idea how we can get 3 chain signed cert.

Thanks

MS

Jason Kunst · ‎10-24-2019

I'd recommend working through the TAC and SSL.com to see how they can resolve.

Here's one link you can try the alternate at the bottom
https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html