Solved: Re: ISE 2.7 with Apple iPhone Connection Timeouts

rsharp001 · ‎05-26-2021

Hi all -

I wanted to share a situation and see if anyone had thoughts or experienced the same.

We are experiencing authentication timeouts when iPhones running 14.5, more on this in a moment, or above attempt to join the wireless. The supplicant goes through the process a few times before failing, ISE shows the endpoint timing out the connection. We are not experiencing this with Android or laptops.

In testing with TAC I stood up a separate SSID and tied a new install of ISE to it, I adjusted our EAP certificate life down from 10 years to 1, 2, and 5 years because this was the only real thing TAC could point to, although there was also no smoking gun that it was a certificate issue with the iPhone. They have combed through debug logs from the WLC and ISE

What we found during testing, no matter what the certificate or ISE install, is:

- Associate to the SSID

- Prompted fro username/password

- Presented with the certificate

- **if the user clicks trust instantly the connection will fail with a generic error on the phone, ISE shows the endpoint constantly reset the connection and eventually times outs (error 12934 supplicant stopped responding to ISE during PEAP tunnel establishment)

- **if the user waits 30 seconds and then trusts the certificate the phone will connect

- We tested with iPads/iPhones version 12 and 13.5 they worked without the work around, when using version 14.4 and above we have to utilize the work around.

I want to test with a certificate signed by a trusted authority but haven't taken the steps to pursue this yet.

Thank you for reading!

Robert

lrojaslo · ‎05-26-2021

This issue seems particularly odd, however, I probably won't focus on ISE side but Wireless/Supplicant tshoot.

If this works fine on previous versions, I don't think that changing certificate stuff might help somehow based on the tests performed so far, also the workaround doesn't seems to point a certificate issue. Anyways, I saw previously a behavior on recent iOS version, that required manual install of the certificates (even when Public CA was used), so you can give it a try.

Every time new versions (IOS and Android) come out, some issues start showing up.

If you still have a TAC case, make sure Wireless resources are engaged and also try to work closely with Apple support.

View solution in original post

lrojaslo · ‎05-26-2021

This issue seems particularly odd, however, I probably won't focus on ISE side but Wireless/Supplicant tshoot.

If this works fine on previous versions, I don't think that changing certificate stuff might help somehow based on the tests performed so far, also the workaround doesn't seems to point a certificate issue. Anyways, I saw previously a behavior on recent iOS version, that required manual install of the certificates (even when Public CA was used), so you can give it a try.

Every time new versions (IOS and Android) come out, some issues start showing up.

If you still have a TAC case, make sure Wireless resources are engaged and also try to work closely with Apple support.

rsharp001 · ‎05-27-2021

Our devices that are already registered to our MDM solution do not have this issue as they have the root certificate loaded. Currently we do not onboard in a way that could bypass this issue, we may have to edit policy and pursue it.

The concern comes from devices that are not yet registered or from BYOD instances - seems like I have the best answer I am going to get as this is not really a Cisco issue but an Apple issue. I have reached out to their support but didn't get past level 1.

TAC has been looking at the logs from the WLC and ISE side and are seeing the same, I have not yet updated them on what we have discovered with further testing.

Robert