Cisco Bug: CSCuo41231 - ISE: scep-proxy for BYOD not supported with CA different then EAP CA
Nov 07, 2016
- Cisco Identity Services Engine
Known Affected Releases
Symptom: For ISE with BYOD provisioning for EAP-TLS the scep proxy process will fail for the following scenario: ISE using identity certificate for EAP - that is signed by CA1 ISE using scep proxy signed by different CA (CA2) ISE is trusting both CA1 and CA2. Windows7 supplicant does not trust anybody - we want to make onboarding and trust both CA1 and CA2. When using Network Setup Assistant on supplicant it will fail with error: [HTTPConnection] InternetOpen() failed with code:  (because it has accepted only CA1 while scep session is signed by CA2). On ISE we will see that scep proxy has been terminated by supplicant: 2014-04-22 12:17:40,024 WARN [portal-http-844336] cisco.cpm.provisioning.cert.CertProvisioningFactory -:::::- Error in processing certifcate enrollment request java.io.IOException: java.util.concurrent.ExecutionException: java.io.IOException: Remotely Closed [id: 0x3d844f2f] at org.jscep.transport.AsyncGetTransport.sendRequest(AsyncGetTransport.java:77) For Apple Ipad we do not have that problem, Ipad accepts both CA's (each needs to be confirmed) and put correctly into profile. Conditions: ISE BYOD with scep-proxy signed by different CA then EAP ISE certificate. Problem occurs only for windows, Ipad works fine.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases