Cisco ISE: BYOD fails on MacOS with SSL error

Following the upgrade from ISE 2.1 to 2.3 BYOD process for Mac OS stopped working with the error “The request timed out”.

It was working prior to the upgrade and the rest of endpoints (Windows, iOS, and Android) completed BYOD successfully. I could not find much useful information in ISE debug logs so I’ve checked the system.log file on Mac and found errors related to SSL handshake (more troubleshooting tips can be found here).

So this gave me an idea that something has changed since version 2.1 and with a little help I found this guide ISE posture style comparison for pre and post 2.2 that posts Important consideration:

  • To avoid certificate warning both portal and admin certificates has to be trusted on the client side.

Starting with version 2.2 Admin usage certificate should be signed by trusted root in order to successfully complete BYOD process.

So as an immediate workaround you can instruct your BYOD user to trust root certificate. It can be found under keychain on MacOS and set to Always Trust.

And for permanent solution Admin usage has to be assigned to a certificate signed by the trusted public root authority. If you have Guest Flow implemented then most likely you already have a public cert in place that can be used.This action will restart ISE services so proper planning and timing must be allocated to allow enough time for services to restore. I tested it with public signed wildcard certificate and BYOD completed successfully.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar