Solved

Connecting IPAD to WPA2-Enterprise WiFi keeps telling me certificate is not valid

Posted on 2014-03-10
25
8,152 Views
Last Modified: 2014-03-26
Hello,

I keep getting certificate errors when connecting to the company Wireless.

Wireless settings are:
WPA2-Enterprise
PEAP w/ MSCHAPv2
RADIUS (NPS) authentication

With a windows 8 client laptop it connects fine without nay certificate errors.

With an Ipad i can get connected but only after choosing to ignore a certificate error.

I would like to eliminate the certificate error as my customer has requested this,.


Any idea why the Win8 Client connects and the Ipad feels the need to alert me?

I am using a self signed server/client certificate on my RADIUS server.

From what I understand a 3rd party server certificate should not be required for this.
0
Comment
Question by:nflnetwork29
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 4
  • +2
25 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39919734
Is the laptop joined to the domain? If so, part of that process is adding the dc cert to the trusted root cert store, that's why no alert. Try it with a windows laptop not on the domain and you will get an alert just like the iPad.
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 39919877
I have not been privileged to setup an enterprise Wifi, so this is just something I found during my reading on the topic.

http://support.apple.com/kb/HT1978

They explain on the link above, it involves creating profiles and include the certificate on it.
0
 
LVL 63

Expert Comment

by:btan
ID: 39919913
This link may be key to help resolve (hopefully)
https://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

But as a whole, few points to note:

a) Client setting - check the 'validate server certificate' and 'Do not prompt user to authorize new servers or trusted certification authorities', both are likely the case since you are using a self signed cert of the RADIUS (NPS) turned on so you are seeing the pop up. You can turned off (manually or via GPO) if but I recommend not as it is supposed to be security warning

> Maybe export the root certificate from RADIUS (NPS), or grab the server cert from other domain joined client machine and import into the "fresh" legit clients to test if the error prompt still occurs. The trusted root cert store in client must have this server cert to prevent the pop up warning

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

>Those certificate is for server machine authentication via PEAP (in this case), the secure tunnel will then proceed to allow your username and password  (in this case CHAPv2) transmitted across secure channel established.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 46

Expert Comment

by:Craig Beck
ID: 39921611
The NPS will have a cert from the internal CA so the Windows clients will trust the NPS if they too have a cert from the same CA, or as breadtan says they have the 'Validate Server Certificate' option unchecked.

The Apple clients don't know about the internal CA until you install the CA's root cert on it.  Apple devices expect to validate the certificate.

The Apple clients
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39921721
I have heard that a valid 3rd party cert will solve this problem but never tried it. If you go this route, it CANNOT be a wildcard cert. I know that is bad news
0
 

Author Comment

by:nflnetwork29
ID: 39921763
no we have tried a 3rd party cert and it still prompts.

my question then:

how to use a iPad with WPA2-Ent and not get any certificate authentication.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39921893
Is your cert trusted using the default apple cert chain?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39921895
Also check your nps settings to see which cert is being used for that connectikn rule.
0
 

Author Comment

by:nflnetwork29
ID: 39921908
Not sure how to verify this?

Can you tell me the steps?

Is your cert trusted using the default apple cert chain?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39921926
Here is the list of root certs in all iOS versions:
https://support.apple.com/kb/ht5012
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39921940
no we have tried a 3rd party cert and it still prompts.
If the name in the cert doesn't match the name of the NPS server you'll get a certificate warning if you use a 3rd-party cert.

Can you post the exact warning you see?
0
 

Author Comment

by:nflnetwork29
ID: 39921979
yea so the cert is on the list. i matched using serial number.

the name on the certificate does not match the name of the NPS server.

the name on the certificate is office.externaldomain.com

my NPS server is NPS.internaldomain.local
0
 

Author Comment

by:nflnetwork29
ID: 39921984
And I though you couldn't use internal .local domain in certificates anymore?
0
 

Author Comment

by:nflnetwork29
ID: 39921986
Also to note. funny thing is Android does not seem to care and does not create any security alert.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39922100
Android doesn't care... as long as you provide credentials it's not really bothered.
0
 

Author Comment

by:nflnetwork29
ID: 39922197
so what name should i use on the certificate

internal fqdn ?

not sure how i would use the external fqdn.
0
 
LVL 63

Expert Comment

by:btan
ID: 39922370
you need to match the nsp server name as I shared earlier

b) Server setting - Playing diligence, the self signed server certificate should have its cert subject name matching the name of the RADIUS (NPS). So if RADIUS (NPS) is named as "server.wifi.enterprise.local" and if the actual provisioned server certificate is ".....enterprise.com" (as example), it does not match the name and you will get an error. Same if on client having an non-matched server named cert too.

In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps

To validate the RADIUS server certificate, you need to trace all the way back to the CA that issued it. If you're using Microsoft NPS, the certificate is the root server in the Microsoft CA.

More info on using Apple for the EAP (pdf - see Appendix A: Payload Settings for 802.1X) @ http://training.apple.com/pdf/WP_8021X_Authentication.pdf
0
 

Author Comment

by:nflnetwork29
ID: 39922459
In your case, it is "NPS.internaldomain.local", export the cert and import into iOS using iPhone Configuration Utility (iPCU). See steps


I do not want to have to install anything on the iOS devices. it should just connect and not have any security alerts.

I cant use a self signed certificate as i am authenticating workgroup PCs and laptopns and iOS devices.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39922492
To get iPads to not prompt without touching them and installing something first:Have a 3rd party cert from someone on the iOS root cert list installed on your root cert authority (probably your dc) with the fqdn of your dc.

There is no other way. There are no shortcuts. All the original error says is that your CA doesn't have a valid cert chain. It's not really a bad thing, but to get rid of the error this is what you have to do.
0
 

Author Comment

by:nflnetwork29
ID: 39922505
Internal fqdn or external?
0
 
LVL 63

Expert Comment

by:btan
ID: 39922552
you need the CA server that issued that NPS cert to be trusted and stored in iOS device trusted root cert store. If it is self-signed then you need to port it there to avoid prompt else then you shd be using a certificate in the existing iOS root trusted cert store (aarontomosky has shared the link earlier). You need machine check and it is using cert for machine identity.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39922593
I'm pretty sure a cert has to be external but I've never tried to get one for a .local so I'm not 100%
Personally I use i.domain.com like some people use corp.domain.com instead of .local or .lan and it avoids this sort of issue
0
 

Author Comment

by:nflnetwork29
ID: 39924117
So it looks like we ARE using the 3rd party certificate (it is a listed root cert in the apple list of trusted certs for iOS) the certificate is a multi name cert and DOES include the internal DNS name of the RADIUS server (NPS)

Still getting the security alert when connecting using a iOS device.

Any other suggestions?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39924179
nps->network policies->wireless network policy (or whatever yours is called)->properties->constraints->authentication methods->microsoft protected eap (peap)->edit
check which cert is selected here
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39925340
As far as I know, the CN should reflect the FQDN of your NPS server. Therefore I hope your domain doesn't end with .local, .internal or an equivalent of this. Reason being the public CA's don't issue certificates for these domains.

Which is why I thought earlier you mentioned "self signed" cert is used hence that need to be trusted and in root trust cert store. As a whole to rid the prompt...i see two ways

1- If you validate the server cert, then that same cert from the radius server needs to be installed on the client (or supplicant) .

2 - If you ignore that server cert, your client (or supplicant) simply accepts the cert sent by the radius server and builds a TLS tunnel.

This are steps done in school as an example
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question