ISE 1.2.1 - CLient certificate renewal and expiration

Stephen McBride · ‎06-25-2014

Hi all,

Anyone had any luck setting up and getting this functionality working? I have set up the correct authentication and authorisation flows and all works well. My major issue is that it would appear as though apple iOS devices do not allow you to update the profiles - meaning you have to delete the iOS profile which in essence means the entire renewal process is pointless.

nspasov · ‎06-25-2014

It is not possible with Apple devices. Take a look at BRKSEC-3697 Cisco Live session (San Fran 2014). You must manually delete the profile from any Apple devices.

Thank you for rating helpful posts!

Stephen McBride · ‎06-25-2014

Release notes say iOS is supported, the live session says it is supported after expiration.... so what is true? As for deleting the profile how do you delete the profile which contains the certificate and then login.... sounds bogus to me or I am missing something. Also the slides say you can use NSP portal however the options to do renewal is only available on CWA.

Basically for mind the process for iOS is not functioning as intended and is essentially useless.

nspasov · ‎06-25-2014

I am sorry I was not clear enough. iOS devices are definitely supported, however, you must manually deleting the profile.

Thank you for rating helpful posts!

Stephen McBride · ‎06-25-2014

I figured as much but at what point does the user delete the profile? The profile contains the client certificate therefore if you delete it at the wrong time renewal will not occur, likewise if you delete the profile and you lose connection you are now i a point where your device is registered and possibly unable to reregister without admin intervention.

nspasov · ‎06-25-2014

Deleting the profile will just make the device appear as a brand new BYOD device which needs BYOD on-boarding. The process/experience should not be any different than when the device was first on-boarded. Thus, the user can delete the profile at anytime. Obviously there will be no access until the re-on-boarding happens but again that is not any different than when the device was setup originally. To answer your last question: It really depends on how you setup your policies but just because the device is registered it does not mean that it won't go through the on-boarding process. In addition, if your rules are setup in such way that the device must NOT be registered for on-boarding to succeed then the BYOD user(s) can use the My Devices portal to manually delete the iOS device from ISE without the need of admin intervention.

Stephen McBride · ‎06-26-2014

This explanation flies in the face of of the live session and the release notes which state that iOS devices can be subject to the cert renewal flow when the cert is expired (not about to expire). Basically your explanation, if correct, confirms what I thought - that this process is useless and pointless for iOS devices despite documentation suggesting otherwise.

Your suggestion of manually deleting devices from portals etc is all nice but in large corporate environments it is not going to fly from a usability perspective - especially if you require network comms to hit the portal in the first place or have large amounts of end users. In reality this needs to be as seamless and hands off as possible - it is hard enough as it is.