10-08-2013 11:23 AM - edited 07-04-2021 01:02 AM
Hi,
After the users upgrade their iphone to ios7, it is asking to accept certificate multiple times a day. For some ios7 users, it ask about 10 times a day to accept certificate to join the wireless network. The user is frustrated about the process to use the wifi network. However, it does not do that in ios6.
The envirnment:
Cisco 5508 - 7.4.100.60
WPA2 Enterprise - Mircosoft IAS
I search the web, didn't find anything related to the issue.
Want to check the forum and see anyone have the same issue
12-23-2014 06:17 AM
I'm having the same issue. I'm on WLC version 7.6.100.0 and have had this problem since the betas of iOS 8. Android users don't have the problem and I don't really have any iOS users reporting the issue too often, but I certainly have the issue daily on my iPhone 6. I don't recall every having the issue on my iPad Mini running iOS 8 as well. I only have one RADIUS server and its Microsoft Server 2003 R2. So there should only be one certificate in question. I've removed the wireless settings and added it back, rebooted, turned off WiFi and back on, etc. I haven't tried wiping the phone yet, but don't really want to do that although that may be the solution. Any help would be greatly appreciated.
11-23-2017 04:28 AM
We also ran into this issue with Apple devices and a Cisco wireless LAN with a recent version of the WLC software 8.3.x together with Cisco ISE 2.3.x (2 PAN nodes via external loadbalancer). It seems that during the day the client is redirected to the other ISE node which starts a new EAP session and shows a certificate popup for the connected ISE node.
You could add another radius accouting/authentication configuration on the loadbalancer for the wireless part where the primary ISE node is always the preferred one (active/passive). Configure the WLC to use this new configuration, the existing/other devices can continue to use the original loadbalanced configuration.
11-25-2017 03:29 PM - edited 11-25-2017 03:30 PM
You should use the same certificate on all ISE nodes who perform EAP authentication to prevent this from happening.
Keep in mind that wildcard certificates are not supported for EAP authentication on Microsoft end-points, due to this all FQDNs of the ISE nodes should be included in the cert as SANs. Using the wildcard as SAN is supported as well.
Please rate useful posts... :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide