iOS 8 WPA2 Enterprise EAP-TLS Issues

Hi All,

We are in the process of deploying EAP-TLS authentication for Wi-Fi on our iOS devices to secure them via Microsoft Certificates.

The following components are involved:

Windows Server 2008R2 with NPS
Windows Root Certificate Authority
Windows Subordinate Certificate Authority
AirWatch Mobile Device Management
Windows Active Directory
iOS 8 iPhones & iPads

I am able to connect Domain Join Windows Laptops to the wireless almost instantly using a certificate issued by the Sub CA.

However, we are not able to use EAP-TLS on the iOS devices as expected.

I have been using Airwatch MDM to install profiles on the iOS devices.

When I install the user certificate along with the trusted root and sub CA certificate, then connect to the network manually, it connects perfectly well. Albeit saying the RADIUS severs certificate, which was issued by the same Certificate Server is "not trusted".

However, when installing the MDM Profile with the certificates and the wireless settings, I am unable to connect. The profile looks to have all of the correct settings and allows for "Certificate Trust Exceptions". Looking at the logs on the NPS server, it shows "Reason Code 23"

I am unable to work out why the device connects with the certificate manually, but not using the Profile.

Some forum posts suggest that the iOS 8 upgraded EAP-TLS security, but I don't know how to get around the problem I am having.



Side note:

Even when the trusted roots are installed on the iPad it still says not "not trusted" I thought I might be able to get around this by installing the actual RADIUS certificate on the the iOS device. However, it still says not trusted.


I hope someone can help!

Josh
Badger1879Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
So you are not installing all required certificates? Are you sure they all are SHA256 or better?
0
Badger1879Author Commented:
I have all of the certificate chain trust installed on the iPad and installed on the RADIUS server and the Certificates used by the server and client are SHA1.

They work fine when the Wi-Fi settings are not deployed via the iOS MDM Profile.
0
gheistCommented:
It is a bug to fill with Apple, it used to work with iOS 6
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Badger1879Author Commented:
There must be a working solution, iOS 8 has been out long enough for them to fix it now and there hasn't been enough of an uproar for this to be a wide spread issue.

It has to be something I am missing.
0
gheistCommented:
Yes - report a SOFTWARE BUG to software vendor (in your case - APPLE)
0
Badger1879Author Commented:
Thanks for your input, I have managed to find a workaround for anyone experiencing the same issue:

In the MDM, I uploaded the Root CA, Sub CA and the RADIUS Certificate in the credential section of the iOS Profile.

Once the certificates have been uploaded, tick the certificates in the trusted section of the Wi-Fi settings.

This worked a treat for us!

Wi-Fi Trusted Certificates
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Still I see good chance you succeed convincing Apple to perform cert validations when exporting profile... If you have time for it.
0
Badger1879Author Commented:
I was able to fix my own issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.