ISE 1.2.1 - CLient certificate renewal and expiration
Anyone had any luck setting up and getting this functionality working? I have set up the correct authentication and authorisation flows and all works well. My major issue is that it would appear as though apple iOS devices do not allow you to update the profiles - meaning you have to delete the iOS profile which in essence means the entire renewal process is pointless.
Release notes say iOS is supported, the live session says it is supported after expiration.... so what is true? As for deleting the profile how do you delete the profile which contains the certificate and then login.... sounds bogus to me or I am missing something. Also the slides say you can use NSP portal however the options to do renewal is only available on CWA.
Basically for mind the process for iOS is not functioning as intended and is essentially useless.
I figured as much but at what point does the user delete the profile? The profile contains the client certificate therefore if you delete it at the wrong time renewal will not occur, likewise if you delete the profile and you lose connection you are now i a point where your device is registered and possibly unable to reregister without admin intervention.
Deleting the profile will just make the device appear as a brand new BYOD device which needs BYOD on-boarding. The process/experience should not be any different than when the device was first on-boarded. Thus, the user can delete the profile at anytime. Obviously there will be no access until the re-on-boarding happens but again that is not any different than when the device was setup originally. To answer your last question: It really depends on how you setup your policies but just because the device is registered it does not mean that it won't go through the on-boarding process. In addition, if your rules are setup in such way that the device must NOT be registered for on-boarding to succeed then the BYOD user(s) can use the My Devices portal to manually delete the iOS device from ISE without the need of admin intervention.
This explanation flies in the face of of the live session and the release notes which state that iOS devices can be subject to the cert renewal flow when the cert is expired (not about to expire). Basically your explanation, if correct, confirms what I thought - that this process is useless and pointless for iOS devices despite documentation suggesting otherwise.
Your suggestion of manually deleting devices from portals etc is all nice but in large corporate environments it is not going to fly from a usability perspective - especially if you require network comms to hit the portal in the first place or have large amounts of end users. In reality this needs to be as seamless and hands off as possible - it is hard enough as it is.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...