Badger1879
asked on
iOS 8 WPA2 Enterprise EAP-TLS Issues
Hi All,
We are in the process of deploying EAP-TLS authentication for Wi-Fi on our iOS devices to secure them via Microsoft Certificates.
The following components are involved:
I am able to connect Domain Join Windows Laptops to the wireless almost instantly using a certificate issued by the Sub CA.
However, we are not able to use EAP-TLS on the iOS devices as expected.
I have been using Airwatch MDM to install profiles on the iOS devices.
When I install the user certificate along with the trusted root and sub CA certificate, then connect to the network manually, it connects perfectly well. Albeit saying the RADIUS severs certificate, which was issued by the same Certificate Server is "not trusted".
However, when installing the MDM Profile with the certificates and the wireless settings, I am unable to connect. The profile looks to have all of the correct settings and allows for "Certificate Trust Exceptions". Looking at the logs on the NPS server, it shows "Reason Code 23"
I am unable to work out why the device connects with the certificate manually, but not using the Profile.
Some forum posts suggest that the iOS 8 upgraded EAP-TLS security, but I don't know how to get around the problem I am having.
Side note:
Even when the trusted roots are installed on the iPad it still says not "not trusted" I thought I might be able to get around this by installing the actual RADIUS certificate on the the iOS device. However, it still says not trusted.
I hope someone can help!
Josh
We are in the process of deploying EAP-TLS authentication for Wi-Fi on our iOS devices to secure them via Microsoft Certificates.
The following components are involved:
Windows Server 2008R2 with NPS
Windows Root Certificate Authority
Windows Subordinate Certificate Authority
AirWatch Mobile Device Management
Windows Active Directory
iOS 8 iPhones & iPads
I am able to connect Domain Join Windows Laptops to the wireless almost instantly using a certificate issued by the Sub CA.
However, we are not able to use EAP-TLS on the iOS devices as expected.
I have been using Airwatch MDM to install profiles on the iOS devices.
When I install the user certificate along with the trusted root and sub CA certificate, then connect to the network manually, it connects perfectly well. Albeit saying the RADIUS severs certificate, which was issued by the same Certificate Server is "not trusted".
However, when installing the MDM Profile with the certificates and the wireless settings, I am unable to connect. The profile looks to have all of the correct settings and allows for "Certificate Trust Exceptions". Looking at the logs on the NPS server, it shows "Reason Code 23"
I am unable to work out why the device connects with the certificate manually, but not using the Profile.
Some forum posts suggest that the iOS 8 upgraded EAP-TLS security, but I don't know how to get around the problem I am having.
Side note:
Even when the trusted roots are installed on the iPad it still says not "not trusted" I thought I might be able to get around this by installing the actual RADIUS certificate on the the iOS device. However, it still says not trusted.
I hope someone can help!
Josh
gheist
So you are not installing all required certificates? Are you sure they all are SHA256 or better?
ASKER
I have all of the certificate chain trust installed on the iPad and installed on the RADIUS server and the Certificates used by the server and client are SHA1.
They work fine when the Wi-Fi settings are not deployed via the iOS MDM Profile.
They work fine when the Wi-Fi settings are not deployed via the iOS MDM Profile.
It is a bug to fill with Apple, it used to work with iOS 6
ASKER
There must be a working solution, iOS 8 has been out long enough for them to fix it now and there hasn't been enough of an uproar for this to be a wide spread issue.
It has to be something I am missing.
It has to be something I am missing.
Yes - report a SOFTWARE BUG to software vendor (in your case - APPLE)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Still I see good chance you succeed convincing Apple to perform cert validations when exporting profile... If you have time for it.
ASKER
I was able to fix my own issue.