cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1347
Views
0
Helpful
12
Replies

Cisco ISE Certificate Error on iPhone

latenaite2011
Level 4
Level 4

Does anyone know why the iPhone's certificate is not trusted (see attached) image.  There is no error in Cisco ISE's live log but did see a message in ISE under the certificate section saying that this certificate is NOT used to verify the authenticity of client certificate presented to ISE..(see attached image also) but that has been fixed and the certificate was pushed via Microsoft Intune.

Thanks in advance! 

 

 

12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

Is the Certificate Public CA signed or Local PKI ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji for the quick response.  

It is an internal Microsoft CA server and you can see in the attached iphone snapshot provided that it has been installed in the iphone, just the intermediary cert that isn't taken. Does this need to be in FDQN?

 

thanks!

Hi Balali,

Forgot to include the other snapshot that may be helpful, sorry forgot to include that earlier 

 

if that is internal CA, that is expected. or you need to manually upload root certificate to devices. - so the device can trust your Local CA certs

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rsharp001
Level 1
Level 1

I only see the iphone-2 photo showing the cert being presented is not trusted, assuming it is because it cannot be verified by the endpoint.

The only way I've had any success with getting my internal CA trusted on an iphone was by using an MDM to push the CA to the endpoint trust store before attempting to connect to our internal wireless.

 

Robert

Thanks for the reply Robert.  Yes, we used Microsoft Intune to push the certificate to the iPhone and you can see the root certificate installed on the iPhone but not the internal CA certificate.  The iPhone shows that it is not trusted and with over 1K, it should be trusted automatically (the internal CA certificate has bee installed on the in ISE and it can see it).  Just wondering why the iPhone doesn't trust it automatically and had to hit the "Trust" option.  It wouldn't be feasible to hit the trust button on every phone.  thanks! 

When you say root certificate, do you mean from ISE?  Since you're specifying both I'm assuming the internal CA is your MS PKI and the root is from ISE.  If that is the case, which one of them signed the certificate that is presented to the device by ISE? Look in Admin -> Certificates and look for the one being used for EAP authentication, make sure the issued by is indeed the certificate you are pushing with Intune into the trust store

 

Hi Rsharp001, thanks for your reply.

The certs are pushed from the CA Server just fine (both the root and the
intermediate). I'll check if the same certificaticate used for EAP is the
same one as pushed by Intune into the trust store.

thank you!

rsharp001
Level 1
Level 1

hey @latenaite2011  - I'm curious if you were able to get to the bottom of this issue?

Will do thanks Balaji!

No Rsharp001 - still having the same issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: