Link to home
Start Free TrialLog in
Avatar of Badger1879

asked on

iOS 8 WPA2 Enterprise EAP-TLS Issues

Hi All,

We are in the process of deploying EAP-TLS authentication for Wi-Fi on our iOS devices to secure them via Microsoft Certificates.

The following components are involved:

Windows Server 2008R2 with NPS
Windows Root Certificate Authority
Windows Subordinate Certificate Authority
AirWatch Mobile Device Management
Windows Active Directory
iOS 8 iPhones & iPads

I am able to connect Domain Join Windows Laptops to the wireless almost instantly using a certificate issued by the Sub CA.

However, we are not able to use EAP-TLS on the iOS devices as expected.

I have been using Airwatch MDM to install profiles on the iOS devices.

When I install the user certificate along with the trusted root and sub CA certificate, then connect to the network manually, it connects perfectly well. Albeit saying the RADIUS severs certificate, which was issued by the same Certificate Server is "not trusted".

However, when installing the MDM Profile with the certificates and the wireless settings, I am unable to connect. The profile looks to have all of the correct settings and allows for "Certificate Trust Exceptions". Looking at the logs on the NPS server, it shows "Reason Code 23"

I am unable to work out why the device connects with the certificate manually, but not using the Profile.

Some forum posts suggest that the iOS 8 upgraded EAP-TLS security, but I don't know how to get around the problem I am having.

Side note:

Even when the trusted roots are installed on the iPad it still says not "not trusted" I thought I might be able to get around this by installing the actual RADIUS certificate on the the iOS device. However, it still says not trusted.

I hope someone can help!

Avatar of gheist
Flag of Belgium image

So you are not installing all required certificates? Are you sure they all are SHA256 or better?
Avatar of Badger1879


I have all of the certificate chain trust installed on the iPad and installed on the RADIUS server and the Certificates used by the server and client are SHA1.

They work fine when the Wi-Fi settings are not deployed via the iOS MDM Profile.
It is a bug to fill with Apple, it used to work with iOS 6
There must be a working solution, iOS 8 has been out long enough for them to fix it now and there hasn't been enough of an uproar for this to be a wide spread issue.

It has to be something I am missing.
Yes - report a SOFTWARE BUG to software vendor (in your case - APPLE)
Avatar of Badger1879

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Still I see good chance you succeed convincing Apple to perform cert validations when exporting profile... If you have time for it.
I was able to fix my own issue.