We want to use Radius for our iOs/Wifi BYOD wifi network, with AD username/password auth (not TLS device certificates).
I've got Server 2012 R2 installed with NPS up and running, but as iOS doesn't trust the builtin (server.domain.internal) certificate, it prompts the user to trust it. I'm trying to get it working without any cert prompt.
I've installed and generated our CA domain certificate and pushed that to the iPads via MDM, and I can see that appearing on the iPad. Because it's gone via MDM, it's already set to "Enable full trust for root certs" by default.
I've then generated a CA-signed cert for the NPS server and selected it within NPS > Network Policies > Constraints > Microsoft PEAP.
When you connect an iPad to the SSID, it prompts for credentials correctly then prompts to trust the NPS Cert - but it is signed by our CA which the iPad already
trusts. Should it not just trust the NPS cert?? I've also added the NPS cert to the iPad, seen that it is "Trusted" as it has the root installed and trusted, but still it prompts when authenticating onto the SSID.
If I trust the cert, the iPad is authorised and both UniFi and Smoothwall see the iPad with username so Radius itself is working - it's just the iPad is always prompting to trust a cert?
I've also read that generating a CA-signed cert via IIS request doesn't work, so used OpenSSL to generate a CA and CA-signed cert but that combination throws an error in NPS log "The client could not be authenticated because the EAP Type cannot be processed by the server".
Any advice either way on joining and authenticating to an NPS server from an iPad without any certificate prompts would be greatfully received. (We have MDM so can push the necessary certs to it, just can't find a way of it not prompting even if it has it installed!)