Solved: Re: ISE Behaviour on SSL Certificate Renewal

cklourdu · ‎06-13-2019

Hi team would like to check on the following:

If the SSL certs for ISE https Webserver are renewed, will this require manually on boarding the Certs to user devices (Non Windows devices).

We have seen behaviour where Android & Apple devices require manually onboarding the Cert.

This is not the case for Windows users. With Windows the new cert is automatically downloaded / onboarded on the windows device.

Is this behaviour expected ? And if so is there any particular reason why this only effects non Windows Devices?

Running ISE SNS-3415 (Release 2.4)

BR,
CA

hslai · ‎06-13-2019

This is more client-side behaviors than that on ISE.

Assuming ISE using the same self-signed for all different usages (admin, eap, etc.), Apple configuration profiles are signed by this ISE certificate and Apple clients will deem it invalid if the signing certificate has changed. On Android, the recent Android OS will validate the EAP server against the certificate installed and configured for the Wi-FI profile.

Windows OS is not as strict, AFAIK.

View solution in original post

hslai · ‎06-13-2019

This is more client-side behaviors than that on ISE.

Assuming ISE using the same self-signed for all different usages (admin, eap, etc.), Apple configuration profiles are signed by this ISE certificate and Apple clients will deem it invalid if the signing certificate has changed. On Android, the recent Android OS will validate the EAP server against the certificate installed and configured for the Wi-FI profile.

Windows OS is not as strict, AFAIK.