03-20-2019 09:06 AM
We currently use Wireless AP-WLC-Cisco ACS/ Windows AD model to authenticate corporate wireless users/devices through WLAN. We are planning to retire ACS and replace it with ISE 2.4.
During the preliminary test, we found the end devices are prompted to TRUST the new certs from ISE.
Since we have thousands of end users/Devices, is there any way to NOT prompt the users (i.e. make the ACS-to-ISE transition transparent to users, without getting end-user interrupted or contused) ?
Another puzzling issue: When I used the iPhone (IOS 12.1.4) to test new AP-WLC-ISE setting, I was prompted with Certificate Trust screen, even if it's a legit cert issued by Entrust, Apple/iPhone still think it's "Not Trusted", why ?
03-20-2019 09:33 PM
Checking with our SME on this.
Thanks,
Nidhi
03-21-2019 01:11 AM
This is normal behavior with ISE as it uses a self signed Cert.
You would need to have your endpoints add ISE cert to their trusted lists of CAs.
This should also solve your issue with iphone .
03-21-2019 09:32 AM
Hi, Danny:
Actually the cert is not-self assigned, it was issued by EnTrust (Please see the attached).
Regarding add ISE cert to the end point:
For PCs, it's very easy ... pushed via SCCM or GPO.
How do we achieve this for iPhone/Androids ? Is MDM the only option?
I think MDM works for company issued phones, how about BYOD mobile devices ?
Thanks a lot !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: