Wireless client authentication after migrating from ACS to ISE

j0liu001 · ‎03-20-2019

We currently use Wireless AP-WLC-Cisco ACS/ Windows AD model to authenticate corporate wireless users/devices through WLAN. We are planning to retire ACS and replace it with ISE 2.4.

During the preliminary test, we found the end devices are prompted to TRUST the new certs from ISE.

Since we have thousands of end users/Devices, is there any way to NOT prompt the users (i.e. make the ACS-to-ISE transition transparent to users, without getting end-user interrupted or contused) ?

Another puzzling issue: When I used the iPhone (IOS 12.1.4) to test new AP-WLC-ISE setting, I was prompted with Certificate Trust screen, even if it's a legit cert issued by Entrust, Apple/iPhone still think it's "Not Trusted", why ?

Nidhi · ‎03-20-2019

Checking with our SME on this.

Thanks,

Nidhi

ldanny · ‎03-21-2019

This is normal behavior with ISE as it uses a self signed Cert.

You would need to have your endpoints add ISE cert to their trusted lists of CAs.

This should also solve your issue with iphone .

j0liu001 · ‎03-21-2019

Hi, Danny:

Actually the cert is not-self assigned, it was issued by EnTrust (Please see the attached).

Regarding add ISE cert to the end point:

For PCs, it's very easy ... pushed via SCCM or GPO.

How do we achieve this for iPhone/Androids ? Is MDM the only option?

I think MDM works for company issued phones, how about BYOD mobile devices ?

Thanks a lot !