iPad / Android device authentication with 2012 NPS Server
Hi guys
I have a corporate Juniper wireless network setup and I'm trying to authenticate an ipad and an android tablet with Windows 2012 R2 NPS Server.
I have created the user cert and downloaded it to the devices however im not sure where or how i can tell the ipad or tablet to use the cert for authentication? Is there some sort of app that i can use for this ? Within a windows machine i can dive into the SSID and tell it what to use but i can't find any good information on how to do this with an ipad.
So the outcome i would like it for the user to authenticate to the network with this one user certificate.
Any help would be greatly appreciated.
Thanks
I have a corporate Juniper wireless network setup and I'm trying to authenticate an ipad and an android tablet with Windows 2012 R2 NPS Server.
I have created the user cert and downloaded it to the devices however im not sure where or how i can tell the ipad or tablet to use the cert for authentication? Is there some sort of app that i can use for this ? Within a windows machine i can dive into the SSID and tell it what to use but i can't find any good information on how to do this with an ipad.
So the outcome i would like it for the user to authenticate to the network with this one user certificate.
Any help would be greatly appreciated.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yap NDES role in mobile device req and get issued with the certificate exchanging through SCEP is doable and seamless, just need to also be aware of the use of user cert in mobile (as it see which NPS see it as machine cert, need to do some tweak as shared in post)
Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail
The certificates installed on IPads use the Network Device Enrollment Services (NDES) which utilizes the Simple Certificate Enrollment Protocol (SCEP) to enroll for device certificates – This is the default and can’t be changed - These device certificates are computer certificates and not user certificates.
As a result, the Network Policy Server (NPS) will deny access to the iPad device, because it is mapping the wrong certificate type....The only way to make this work is to map the computer enrolled certificate to a user account
ASKER
Hi guys
Thanks for the information.
I went to my radius server http://radius-server/certsrv/ and requested the licence. I then copied that licence to my android device but yet i cant select it when setting up the wifi connection, it still says unspecified in the drop down menu.
As for the ipad i can't even select a certificate or anything - i have however head of the iphone or ipad configuration tool which allows this? have you heard of this before?
Am i going in the right direction?
Thanks
Thanks for the information.
I went to my radius server http://radius-server/certsrv/ and requested the licence. I then copied that licence to my android device but yet i cant select it when setting up the wifi connection, it still says unspecified in the drop down menu.
As for the ipad i can't even select a certificate or anything - i have however head of the iphone or ipad configuration tool which allows this? have you heard of this before?
Am i going in the right direction?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
...i have however head of the iphone or ipad configuration tool which allows this? have you heard of this before?This makes me wonder if you even read my previous post.
ASKER
footech - an oversight apologies thanks for that.
Thanks btan i will give it a try and let you know how it goes.
Thanks btan i will give it a try and let you know how it goes.
ASKER
Apparently the cert i used was not getting installed properly because of chrome.
I used IE and it worked. I then extracted the pfx file and the android device now connects. result!
As for the ipad the apple configurator only works for version of IOS7 and under - unless you have a mac which i dont.
So because of this set back I then created an airwatch profile and uploaded the certificated to the profile for the IPAD. It has been rolled out successfully and i have the cert on the device now but i now get the following when trying to authenticate with the NPS server....
Authentication Details:
Connection Request Policy Name: dev-corp
Network Policy Name: dev-corp
Authentication Provider: Windows
Authentication Server: radius-server
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
It seems to connect and put it into the correct connection and network policy but then comes out with an error? I'm wondering if there is something im missing in airwatch?
shall i create a new question for airwatch users?
Thanks
I used IE and it worked. I then extracted the pfx file and the android device now connects. result!
As for the ipad the apple configurator only works for version of IOS7 and under - unless you have a mac which i dont.
So because of this set back I then created an airwatch profile and uploaded the certificated to the profile for the IPAD. It has been rolled out successfully and i have the cert on the device now but i now get the following when trying to authenticate with the NPS server....
Authentication Details:
Connection Request Policy Name: dev-corp
Network Policy Name: dev-corp
Authentication Provider: Windows
Authentication Server: radius-server
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
It seems to connect and put it into the correct connection and network policy but then comes out with an error? I'm wondering if there is something im missing in airwatch?
shall i create a new question for airwatch users?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You my friend are a LEGEND!
I didn't notice i could add more than one certificate to the profile. Now i have added the CA i can now connect successfully.
Thank you very much for your help!
I didn't notice i could add more than one certificate to the profile. Now i have added the CA i can now connect successfully.
Thank you very much for your help!
thanks for sharing as well
http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx