the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.

On other devices this process fails which i can only assume is down to the lack of internal root CA cert

so as per the above im pretty much following this (differentiated access via certificates) :

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)

does that clarify anymore?

Cheers

Kam

Kamran,

That is correct, when you authenticate to the guest portal you are using the https interface to pass your credentials not eap.

In your case this does look like a bug, since most documented use cases show a single https certificate being used for both eap and https interfaces. However If you try to onboard the devices using PEAP do you get the proper certificate installed and does the error go away (my assumption is yes).

Also you may want to open a tac case and forward your findings over to them, since you would expect when provisioning the supplicant should allow the user to install the eap certificate, or even yet set the supplicant to trust the certificate of the eap interface in the profile.

I did a search for an open bug and could not track one, I also checked the documentation and it doesnt state this as being a limitation...

Please post back your results if/when you get a response from TAC.

Thanks,

Tarik Admani
*Please rate helpful posts*

onboarding with PEAP works but again the Public Certificate Root CA is delivered to the "onboarding/provisioning" device rather than the local CA (which has EAP "enabled"), and as PEAP only needs server side Cert to work, this works (providing the "trust for TLS" is ticked on Public ROOT Cert)

ideally i would love the EAP-TLS solution as this near enough provides a zero-touch solution for the clients, but  needs to work via the provisioning methods else its unmanageble for BYOD devices, if you use local CA certificate your guests will get a Cert warning,

I'm not sure how people have got both onboarding working with both public and local Certs?

BTW i have logged a TAC call, lets see what they come back with, will update this thread if i get anything

Cheers

kam

Update: Cisco TAC can also replicate this issue in their lab, they have escalated to developers to confirm bug

Meanwhile I'm using peap mschapv2 with the public certificate

Thanks for following up on this, please mark this thread as resolved.

Tarik Admani
*Please rate helpful posts*