Guest

Preview Tool

Cisco Bug: CSCuo41231 - ISE: scep-proxy for BYOD not supported with CA different then EAP CA

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.2(0.907)

Description (partial)

Symptom:
For ISE with BYOD provisioning for EAP-TLS the scep proxy process will fail for the following scenario:

ISE using identity certificate for EAP - that is signed by CA1
ISE using scep proxy signed by different CA (CA2)
ISE is trusting both CA1 and CA2.
Windows7 supplicant does not trust anybody - we want to make onboarding and trust both CA1 and CA2. When using Network Setup Assistant on supplicant it will fail with error:

[HTTPConnection] InternetOpen() failed with code: [12045]

(because it has accepted only CA1 while scep session is signed by CA2).

On ISE we will see that scep proxy has been terminated by supplicant:

2014-04-22 12:17:40,024 WARN   [portal-http-844336][] cisco.cpm.provisioning.cert.CertProvisioningFactory -:::::- Error in processing certifcate enrollment request
java.io.IOException: java.util.concurrent.ExecutionException: java.io.IOException: Remotely Closed [id: 0x3d844f2f]
        at org.jscep.transport.AsyncGetTransport.sendRequest(AsyncGetTransport.java:77)

For Apple Ipad we do not have that problem, Ipad accepts both CA's (each needs to be confirmed) and put correctly into profile.

Conditions:
ISE BYOD with scep-proxy signed by different CA then EAP ISE certificate. Problem occurs only for windows, Ipad works fine.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.