Solved

Connecting IPAD to WPA2-Enterprise WiFi keeps telling me certificate is not valid

Posted on 2014-03-10
25
7,514 Views
Last Modified: 2014-03-26
Hello,

I keep getting certificate errors when connecting to the company Wireless.

Wireless settings are:
WPA2-Enterprise
PEAP w/ MSCHAPv2
RADIUS (NPS) authentication

With a windows 8 client laptop it connects fine without nay certificate errors.

With an Ipad i can get connected but only after choosing to ignore a certificate error.

I would like to eliminate the certificate error as my customer has requested this,.


Any idea why the Win8 Client connects and the Ipad feels the need to alert me?

I am using a self signed server/client certificate on my RADIUS server.

From what I understand a 3rd party server certificate should not be required for this.
0
Comment
Question by:nflnetwork29
  • 9
  • 8
  • 4
  • +2
25 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Is the laptop joined to the domain? If so, part of that process is adding the dc cert to the trusted root cert store, that's why no alert. Try it with a windows laptop not on the domain and you will get an alert just like the iPad.
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
Comment Utility
I have not been privileged to setup an enterprise Wifi, so this is just something I found during my reading on the topic.

http://support.apple.com/kb/HT1978

They explain on the link above, it involves creating profiles and include the certificate on it.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
This link may be key to help resolve (hopefully)
https://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

But as a whole, few points to note:

a) Client setting - check the 'validate server certificate' and 'Do not prompt user to authorize new servers or trusted certification authorities', both are likely the case since you are using a self signed cert of the RADIUS (NPS) turned on so you are seeing the pop up. You can turned off (manually or via GPO) if but I recommend not as it is supposed to be security warning

> Maybe export the root certificate from RADIUS (NPS), or grab the server cert from other domain joined client machine and import into the "fresh" legit clients to test if the error prompt still occurs. The trusted root cert store in client must have this server cert to prevent the pop up warning

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

>Those certificate is for server machine authentication via PEAP (in this case), the secure tunnel will then proceed to allow your username and password  (in this case CHAPv2) transmitted across secure channel established.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
The NPS will have a cert from the internal CA so the Windows clients will trust the NPS if they too have a cert from the same CA, or as breadtan says they have the 'Validate Server Certificate' option unchecked.

The Apple clients don't know about the internal CA until you install the CA's root cert on it.  Apple devices expect to validate the certificate.

The Apple clients
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
I have heard that a valid 3rd party cert will solve this problem but never tried it. If you go this route, it CANNOT be a wildcard cert. I know that is bad news
0
 

Author Comment

by:nflnetwork29
Comment Utility
no we have tried a 3rd party cert and it still prompts.

my question then:

how to use a iPad with WPA2-Ent and not get any certificate authentication.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Is your cert trusted using the default apple cert chain?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Also check your nps settings to see which cert is being used for that connectikn rule.
0
 

Author Comment

by:nflnetwork29
Comment Utility
Not sure how to verify this?

Can you tell me the steps?

Is your cert trusted using the default apple cert chain?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Here is the list of root certs in all iOS versions:
https://support.apple.com/kb/ht5012
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
no we have tried a 3rd party cert and it still prompts.
If the name in the cert doesn't match the name of the NPS server you'll get a certificate warning if you use a 3rd-party cert.

Can you post the exact warning you see?
0
 

Author Comment

by:nflnetwork29
Comment Utility
yea so the cert is on the list. i matched using serial number.

the name on the certificate does not match the name of the NPS server.

the name on the certificate is office.externaldomain.com

my NPS server is NPS.internaldomain.local
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:nflnetwork29
Comment Utility
And I though you couldn't use internal .local domain in certificates anymore?
0
 

Author Comment

by:nflnetwork29
Comment Utility
Also to note. funny thing is Android does not seem to care and does not create any security alert.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Android doesn't care... as long as you provide credentials it's not really bothered.
0
 

Author Comment

by:nflnetwork29
Comment Utility
so what name should i use on the certificate

internal fqdn ?

not sure how i would use the external fqdn.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
you need to match the nsp server name as I shared earlier

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps

To validate the RADIUS server certificate, you need to trace all the way back to the CA that issued it. If you're using Microsoft NPS, the certificate is the root server in the Microsoft CA.

More info on using Apple for the EAP (pdf - see Appendix A: Payload Settings for 802.1X) @ http://training.apple.com/pdf/WP_8021X_Authentication.pdf
0
 

Author Comment

by:nflnetwork29
Comment Utility
In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps


I do not want to have to install anything on the iOS devices. it should just connect and not have any security alerts.

I cant use a self signed certificate as i am authenticating workgroup PCs and laptopns and iOS devices.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
To get iPads to not prompt without touching them and installing something first:Have a 3rd party cert from someone on the iOS root cert list installed on your root cert authority (probably your dc) with the fqdn of your dc.

There is no other way. There are no shortcuts. All the original error says is that your CA doesn't have a valid cert chain. It's not really a bad thing, but to get rid of the error this is what you have to do.
0
 

Author Comment

by:nflnetwork29
Comment Utility
Internal fqdn or external?
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
you need the CA server that issued that NPS cert to be trusted and stored in iOS device trusted root cert store. If it is self-signed then you need to port it there to avoid prompt else then you shd be using a certificate in the existing iOS root trusted cert store (aarontomosky has shared the link earlier). You need machine check and it is using cert for machine identity.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
I'm pretty sure a cert has to be external but I've never tried to get one for a .local so I'm not 100%
Personally I use i.domain.com like some people use corp.domain.com instead of .local or .lan and it avoids this sort of issue
0
 

Author Comment

by:nflnetwork29
Comment Utility
So it looks like we ARE using the 3rd party certificate (it is a listed root cert in the apple list of trusted certs for iOS) the certificate is a multi name cert and DOES include the internal DNS name of the RADIUS server (NPS)

Still getting the security alert when connecting using a iOS device.

Any other suggestions?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
nps->network policies->wireless network policy (or whatever yours is called)->properties->constraints->authentication methods->microsoft protected eap (peap)->edit
check which cert is selected here
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
As far as I know, the CN should reflect the FQDN of your NPS server. Therefore I hope your domain doesn't end with .local, .internal or an equivalent of this. Reason being the public CA's don't issue certificates for these domains.

Which is why I thought earlier you mentioned "self signed" cert is used hence that need to be trusted and in root trust cert store. As a whole to rid the prompt...i see two ways

1- If you validate the server cert, then that same cert from the radius server needs to be installed on the client (or supplicant) .

2 - If you ignore that server cert, your client (or supplicant) simply accepts the cert sent by the radius server and builds a TLS tunnel.

This are steps done in school as an example
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now