iPad / Android device authentication with 2012 NPS Server

Hi guys

I have a corporate Juniper wireless network setup and I'm trying to authenticate an ipad and an android tablet with Windows 2012 R2 NPS Server.

I have created the user cert and downloaded it to the devices however im not sure where or how i can tell the ipad or tablet to use the cert for authentication?  Is there some sort of app that i can use for this ?  Within a windows machine i can dive into the SSID and tell it what to use but i can't find any good information on how to do this with an ipad.

So the outcome i would like it for the user to authenticate to the network with this one user certificate.

Any help would be greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Juniper should mostly likely be using via RADIUS (by NPS) to check the mobile device before granting access to the WIFI enterprise (using 802.1X, WPA-Enterprise, or WPA2-Enterprise). But in general, I see this article may be useful - note its lab setup and steps
For Android - have you installed the certificate into credential storage?  Then you should be able to select it when entering details for connecting the WiFi network.  See https://networklessons.com/wireless/eap-tls-certificates-for-wireless-on-android/

For iWhatever, I'm pretty sure you have to use a configuration profile (where you specify the settings for the connection, certificates, etc.) and load it on the device.  Use the Apple Configurator (previously iPhone Configuration Utility).  https://support.apple.com/en-us/HT201460

I've also read about NDES, but have no experience with it.  I think it is a more automated way of getting certificates on the iWhatevers.
btanExec ConsultantCommented:
yap NDES role in mobile device req and get issued with the certificate exchanging through SCEP is doable and seamless, just need to also be aware of the use of user cert in mobile (as it see which NPS see it as machine cert, need to do some tweak as shared in post)
Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail

The certificates installed on IPads use the Network Device Enrollment Services (NDES) which utilizes the Simple Certificate Enrollment Protocol (SCEP) to enroll for device certificates – This is the default and can’t be changed - These device certificates are computer certificates and not user certificates.

As a result, the Network Policy Server (NPS) will deny access to the iPad device, because it is mapping the wrong certificate type....The only way to make this work is to map the computer enrolled certificate to a user account
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

TerellionAuthor Commented:
Hi guys

Thanks for the information.

I went to my radius server http://radius-server/certsrv/ and requested the licence.  I then copied that licence to my android device but yet i cant select it when setting up the wifi connection, it still says unspecified in the drop down menu.

As for the ipad i can't even select a certificate or anything - i have however head of the iphone or ipad configuration tool which allows this?  have you heard of this before?

Am i going in the right direction?

btanExec ConsultantCommented:
Need to make sure the rootCA and actual cert issued for android are both imported. the link run the step and the credential storage should see these cert if imported correctly. See this snapshot https://networklessons.com/wp-content/uploads/2013/06/Android-Trusted-Credentials.png

When you install credentials, you should also install the intermediate certificates to establish a chain to a trusted certificate on the device. For iPAD, you can get the cert with your CA supporting NDES (see pre-req) and import via the profile configurator (under SCEP).
(user identity cert supported - .p12 and root,intermediate supported - cer, .pem, .der)
When users receive configuration profiles, they’re prompted to review the
profile before tapping Install to install the profile. Users can review and
remove installed profiles by navigating to Settings > General > Profiles.
...i have however head of the iphone or ipad configuration tool which allows this?  have you heard of this before?
This makes me wonder if you even read my previous post.
TerellionAuthor Commented:
footech - an oversight apologies thanks for that.

Thanks btan i will give it a try and let you know how it goes.
TerellionAuthor Commented:
Apparently the cert i used was not getting installed properly because of chrome.

I used IE and it worked.  I then extracted the pfx file and the android device now connects. result!

As for the ipad the apple configurator only works for version of IOS7 and under - unless you have a mac which i dont.

So because of this set back I then created an airwatch profile and uploaded the certificated to the profile for the IPAD.  It has been rolled out successfully and i have the cert on the device now but i now get the following when trying to authenticate with the NPS server....

Authentication Details:
      Connection Request Policy Name:      dev-corp
      Network Policy Name:            dev-corp
      Authentication Provider:            Windows
      Authentication Server:            radius-server
      Authentication Type:            EAP
      EAP Type:                  Microsoft: Smart Card or other certificate
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  23
      Reason:                        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.

It seems to connect and put it into the correct connection and network policy but then comes out with an error?  I'm wondering if there is something im missing in airwatch?

shall i create a new question for airwatch users?

btanExec ConsultantCommented:
I suspect the trust chain is not fully established hence the error. In the Airwatch MDM configuration of the iPad profile, see if you have also uploaded the Root CA, Sub CA and the RADIUS Certificate into the credential section of the iOS Profile configured. Once the certificates have been uploaded and into the device, check that the "tick" for the certificates in the trusted section of the Wi-Fi settings is done as well.
See EE post - http://www.experts-exchange.com/questions/28690604/iOS-8-WPA2-Enterprise-EAP-TLS-Issues.html#a40843345

The discussion has the same issue you faced and shared by (DarvADM)
For people who use MDM, I've found the solution :

Yes Apple has improved the security in iOS 8. Now, the user can't validate the CA certificate himself.  You have to include the CA certificate in the wifi profile if it's a self-signed certificate.

After doing this, your CA will be included in the truted certificates database and the handshake will be OK.

For info NPS error code listing - (for code:23
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors. By default, these log files are located at %windir%\System32\Logfiles.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TerellionAuthor Commented:
You my friend are a LEGEND!

I didn't notice i could add more than one certificate to the profile.  Now i have added the CA i can now connect successfully.

Thank you very much for your help!
btanExec ConsultantCommented:
thanks for sharing as well
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.