Update: Cisco TAC can also replicate this issue in their lab, they have escalated to developers to confirm bug Meanwhile I'm using peap mschapv2 with the public certificate ... View more

onboarding with PEAP works but again the Public Certificate Root CA is delivered to the "onboarding/provisioning" device rather than the local CA (which has EAP "enabled"), and as PEAP only needs server side Cert to work, this works (providing the "trust for TLS" is ticked on Public ROOT Cert) ideally i would love the EAP-TLS solution as this near enough provides a zero-touch solution for the clients, but  needs to work via the provisioning methods else its unmanageble for BYOD devices, if you use local CA certificate your guests will get a Cert warning, I'm not sure how people have got both onboarding working with both public and local Certs? BTW i have logged a TAC call, lets see what they come back with, will update this thread if i get anything Cheers kam ... View more

the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID. On other devices this process fails which i can only assume is down to the lack of internal root CA cert so as per the above im pretty much following this (differentiated access via certificates) : http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings) does that clarify anymore? Cheers Kam ... View more