Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Android, Ipad authentication under windows domain environment

I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.

I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.

Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.

Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.

How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.

I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?

The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?

As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?

I hope you can help me to clarify my doubts.


Daniel Escalante

New Member

Android, Ipad authentication under windows domain environment

ISE Case: SR 6628070423 Android Proviosning does not apply certificate axians

See the demo video Android End User Experience

around 02:32 to 02:47 showing the client identity certificate installing process.

Please continue working with TAC and ESC, who would further feedback to the product teams when needed.

Re: Android, Ipad authentication under windows domain environmen

Do you have a link to this video ?

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
CreatePlease to create content