Symptom
Start BOYD(for EAP-TLS profile).
Cert with the Admin role tag is provisioned( even if is not used as a cert on BYOD portal)
Client certificate enrollment starts after EAP auth cert chain is pushed and it fails while generating keys with error:
"The Registration Authority's response is invalid"
When the profile is checked on the iOS device the Admin cert has been installed instead of Portal cert.
This will also affect Windows client to the point where the Setup Assistant file streaming breaks.
Behavior in 1.2:
1. Once the BYOD process starts ISE pushes down its Portal(BYOD / CWA) Cert chain(this is shared with Admin role).
2. In the second half of the provisioning process ISE pushes down its EAP Cert chain + Client certificate( if EAP-TLS cert provisioning).
Since in 1.3 and 1.4 we can separate Portal Certs from Admin cert role we should now be able to send in step 1 the portal certificate and not the Admin certificate.
Instead ISE in step 1 will provision its Admin cert regardless of portal Certificate TAG configured.
This causes issues for some clients (like Apple iOS devices) since during the certificate enrollment process the client cannot trust ISE portal certificate and this breaks the provisioning process.
Conditions
Conditions to replicate the issue in iOS devices.
ISE 1.3
BYOD flow EAP-TLS profile.
Certificate A assigned to BYOD portal.
Certificate B assigned to Admin Role.
Workaround
Assign Admin role to the cert used on the BYOD portal.
Further Problem Description
