Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
0
Helpful
4
Replies

BYOD doubled certificate issued by CISCO ISE

Go to solution
piotrPaszk
Level 1
Level 1

‎08-08-2019 01:25 PM - edited ‎08-09-2019 12:55 AM

Hello,

 

I am facing a challenge. Ones I am done with omboarding process via BYOD, Cisco ISE issues 2 certificates. One based on certificate template and second with SERIALNUMBER. This becomes to be a problem when I want to connect a device to the SSID with EAP-TLS as I must choose one of those. I would like to avoid such situation and get device to connect to the SSID automatically.

 

Please see the attached picture

 

Preview file
10 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-09-2019 02:35 PM

That is expected for the iOS devices. But, ISE BYOD flow will pick the correct certificate to use during the onboarding process for supplicant configuration. However, there is a defect filed against it since both certificate could be used for authentication manually by user. I suggest filing a TAC SR and referencing CSCvn04298 (iOS onboarding creates two certificates with different valid date). The defect is not visible to the public.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-09-2019 05:32 AM

Are you using NAM or native supplicant on your end nodes? I know with NAM via the NAM profile editor you can match on certificate criteria such as issuer or subject fields. This may give you the ability to automatically utilize the one specific certificate that you wish to use with eap-tls.
0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to Mike.Cifelli

‎08-10-2019 11:31 AM

I am using native supplicant

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-09-2019 02:35 PM

That is expected for the iOS devices. But, ISE BYOD flow will pick the correct certificate to use during the onboarding process for supplicant configuration. However, there is a defect filed against it since both certificate could be used for authentication manually by user. I suggest filing a TAC SR and referencing CSCvn04298 (iOS onboarding creates two certificates with different valid date). The defect is not visible to the public.

0 Helpful

Go to solution
piotrPaszk
Level 1
Level 1
In response to howon

‎08-10-2019 11:32 AM

Thanks for the tips :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents