05-26-2021 12:28 PM
Hi all -
I wanted to share a situation and see if anyone had thoughts or experienced the same.
We are experiencing authentication timeouts when iPhones running 14.5, more on this in a moment, or above attempt to join the wireless. The supplicant goes through the process a few times before failing, ISE shows the endpoint timing out the connection. We are not experiencing this with Android or laptops.
In testing with TAC I stood up a separate SSID and tied a new install of ISE to it, I adjusted our EAP certificate life down from 10 years to 1, 2, and 5 years because this was the only real thing TAC could point to, although there was also no smoking gun that it was a certificate issue with the iPhone. They have combed through debug logs from the WLC and ISE
What we found during testing, no matter what the certificate or ISE install, is:
- Associate to the SSID
- Prompted fro username/password
- Presented with the certificate
- **if the user clicks trust instantly the connection will fail with a generic error on the phone, ISE shows the endpoint constantly reset the connection and eventually times outs (error 12934 supplicant stopped responding to ISE during PEAP tunnel establishment)
- **if the user waits 30 seconds and then trusts the certificate the phone will connect
- We tested with iPads/iPhones version 12 and 13.5 they worked without the work around, when using version 14.4 and above we have to utilize the work around.
I want to test with a certificate signed by a trusted authority but haven't taken the steps to pursue this yet.
Thank you for reading!
Robert
Solved! Go to Solution.
05-26-2021 02:50 PM
This issue seems particularly odd, however, I probably won't focus on ISE side but Wireless/Supplicant tshoot.
If this works fine on previous versions, I don't think that changing certificate stuff might help somehow based on the tests performed so far, also the workaround doesn't seems to point a certificate issue. Anyways, I saw previously a behavior on recent iOS version, that required manual install of the certificates (even when Public CA was used), so you can give it a try.
Every time new versions (IOS and Android) come out, some issues start showing up.
If you still have a TAC case, make sure Wireless resources are engaged and also try to work closely with Apple support.
05-26-2021 02:50 PM
This issue seems particularly odd, however, I probably won't focus on ISE side but Wireless/Supplicant tshoot.
If this works fine on previous versions, I don't think that changing certificate stuff might help somehow based on the tests performed so far, also the workaround doesn't seems to point a certificate issue. Anyways, I saw previously a behavior on recent iOS version, that required manual install of the certificates (even when Public CA was used), so you can give it a try.
Every time new versions (IOS and Android) come out, some issues start showing up.
If you still have a TAC case, make sure Wireless resources are engaged and also try to work closely with Apple support.
05-27-2021 12:42 PM
Our devices that are already registered to our MDM solution do not have this issue as they have the root certificate loaded. Currently we do not onboard in a way that could bypass this issue, we may have to edit policy and pursue it.
The concern comes from devices that are not yet registered or from BYOD instances - seems like I have the best answer I am going to get as this is not really a Cisco issue but an Apple issue. I have reached out to their support but didn't get past level 1.
TAC has been looking at the logs from the WLC and ISE side and are seeing the same, I have not yet updated them on what we have discovered with further testing.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide