• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9204
  • Last Modified:

Connecting IPAD to WPA2-Enterprise WiFi keeps telling me certificate is not valid

Hello,

I keep getting certificate errors when connecting to the company Wireless.

Wireless settings are:
WPA2-Enterprise
PEAP w/ MSCHAPv2
RADIUS (NPS) authentication

With a windows 8 client laptop it connects fine without nay certificate errors.

With an Ipad i can get connected but only after choosing to ignore a certificate error.

I would like to eliminate the certificate error as my customer has requested this,.


Any idea why the Win8 Client connects and the Ipad feels the need to alert me?

I am using a self signed server/client certificate on my RADIUS server.

From what I understand a 3rd party server certificate should not be required for this.
0
nflnetwork29
Asked:
nflnetwork29
  • 9
  • 8
  • 4
  • +2
1 Solution
 
Aaron TomoskySD-WAN SimplifiedCommented:
Is the laptop joined to the domain? If so, part of that process is adding the dc cert to the trusted root cert store, that's why no alert. Try it with a windows laptop not on the domain and you will get an alert just like the iPad.
0
 
Sikhumbuzo NtsadaSenior IT TechnicianCommented:
I have not been privileged to setup an enterprise Wifi, so this is just something I found during my reading on the topic.

http://support.apple.com/kb/HT1978

They explain on the link above, it involves creating profiles and include the certificate on it.
0
 
btanExec ConsultantCommented:
This link may be key to help resolve (hopefully)
https://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

But as a whole, few points to note:

a) Client setting - check the 'validate server certificate' and 'Do not prompt user to authorize new servers or trusted certification authorities', both are likely the case since you are using a self signed cert of the RADIUS (NPS) turned on so you are seeing the pop up. You can turned off (manually or via GPO) if but I recommend not as it is supposed to be security warning

> Maybe export the root certificate from RADIUS (NPS), or grab the server cert from other domain joined client machine and import into the "fresh" legit clients to test if the error prompt still occurs. The trusted root cert store in client must have this server cert to prevent the pop up warning

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

>Those certificate is for server machine authentication via PEAP (in this case), the secure tunnel will then proceed to allow your username and password  (in this case CHAPv2) transmitted across secure channel established.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Craig BeckCommented:
The NPS will have a cert from the internal CA so the Windows clients will trust the NPS if they too have a cert from the same CA, or as breadtan says they have the 'Validate Server Certificate' option unchecked.

The Apple clients don't know about the internal CA until you install the CA's root cert on it.  Apple devices expect to validate the certificate.

The Apple clients
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
I have heard that a valid 3rd party cert will solve this problem but never tried it. If you go this route, it CANNOT be a wildcard cert. I know that is bad news
0
 
nflnetwork29Author Commented:
no we have tried a 3rd party cert and it still prompts.

my question then:

how to use a iPad with WPA2-Ent and not get any certificate authentication.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Is your cert trusted using the default apple cert chain?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Also check your nps settings to see which cert is being used for that connectikn rule.
0
 
nflnetwork29Author Commented:
Not sure how to verify this?

Can you tell me the steps?

Is your cert trusted using the default apple cert chain?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Here is the list of root certs in all iOS versions:
https://support.apple.com/kb/ht5012
0
 
Craig BeckCommented:
no we have tried a 3rd party cert and it still prompts.
If the name in the cert doesn't match the name of the NPS server you'll get a certificate warning if you use a 3rd-party cert.

Can you post the exact warning you see?
0
 
nflnetwork29Author Commented:
yea so the cert is on the list. i matched using serial number.

the name on the certificate does not match the name of the NPS server.

the name on the certificate is office.externaldomain.com

my NPS server is NPS.internaldomain.local
0
 
nflnetwork29Author Commented:
And I though you couldn't use internal .local domain in certificates anymore?
0
 
nflnetwork29Author Commented:
Also to note. funny thing is Android does not seem to care and does not create any security alert.
0
 
Craig BeckCommented:
Android doesn't care... as long as you provide credentials it's not really bothered.
0
 
nflnetwork29Author Commented:
so what name should i use on the certificate

internal fqdn ?

not sure how i would use the external fqdn.
0
 
btanExec ConsultantCommented:
you need to match the nsp server name as I shared earlier

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps

To validate the RADIUS server certificate, you need to trace all the way back to the CA that issued it. If you're using Microsoft NPS, the certificate is the root server in the Microsoft CA.

More info on using Apple for the EAP (pdf - see Appendix A: Payload Settings for 802.1X) @ http://training.apple.com/pdf/WP_8021X_Authentication.pdf
0
 
nflnetwork29Author Commented:
In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps


I do not want to have to install anything on the iOS devices. it should just connect and not have any security alerts.

I cant use a self signed certificate as i am authenticating workgroup PCs and laptopns and iOS devices.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
To get iPads to not prompt without touching them and installing something first:Have a 3rd party cert from someone on the iOS root cert list installed on your root cert authority (probably your dc) with the fqdn of your dc.

There is no other way. There are no shortcuts. All the original error says is that your CA doesn't have a valid cert chain. It's not really a bad thing, but to get rid of the error this is what you have to do.
0
 
nflnetwork29Author Commented:
Internal fqdn or external?
0
 
btanExec ConsultantCommented:
you need the CA server that issued that NPS cert to be trusted and stored in iOS device trusted root cert store. If it is self-signed then you need to port it there to avoid prompt else then you shd be using a certificate in the existing iOS root trusted cert store (aarontomosky has shared the link earlier). You need machine check and it is using cert for machine identity.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
I'm pretty sure a cert has to be external but I've never tried to get one for a .local so I'm not 100%
Personally I use i.domain.com like some people use corp.domain.com instead of .local or .lan and it avoids this sort of issue
0
 
nflnetwork29Author Commented:
So it looks like we ARE using the 3rd party certificate (it is a listed root cert in the apple list of trusted certs for iOS) the certificate is a multi name cert and DOES include the internal DNS name of the RADIUS server (NPS)

Still getting the security alert when connecting using a iOS device.

Any other suggestions?
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
nps->network policies->wireless network policy (or whatever yours is called)->properties->constraints->authentication methods->microsoft protected eap (peap)->edit
check which cert is selected here
0
 
btanExec ConsultantCommented:
As far as I know, the CN should reflect the FQDN of your NPS server. Therefore I hope your domain doesn't end with .local, .internal or an equivalent of this. Reason being the public CA's don't issue certificates for these domains.

Which is why I thought earlier you mentioned "self signed" cert is used hence that need to be trusted and in root trust cert store. As a whole to rid the prompt...i see two ways

1- If you validate the server cert, then that same cert from the radius server needs to be installed on the client (or supplicant) .

2 - If you ignore that server cert, your client (or supplicant) simply accepts the cert sent by the radius server and builds a TLS tunnel.

This are steps done in school as an example
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 9
  • 8
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now