Avatar of Peter Howarth
Peter Howarth
Flag for United Kingdom of Great Britain and Northern Ireland asked on

iOS Radius auth to NPS Server 2012


We want to use Radius for our iOs/Wifi BYOD wifi network, with AD username/password auth (not TLS device certificates).

I've got Server 2012 R2 installed with NPS up and running, but as iOS doesn't trust the builtin (server.domain.internal) certificate, it prompts the user to trust it. I'm trying to get it working without any cert prompt.

I've installed and generated our CA domain certificate and pushed that to the iPads via MDM, and I can see that appearing on the iPad. Because it's gone via MDM, it's already set to "Enable full trust for root certs" by default.

I've then generated a CA-signed cert for the NPS server and selected it within NPS > Network Policies > Constraints > Microsoft PEAP.

When you connect an iPad to the SSID, it prompts for credentials correctly then prompts to trust the NPS Cert - but it is signed by our CA which the iPad already
trusts.  Should it not just trust the NPS cert??  I've also added the NPS cert to the iPad, seen that it is "Trusted" as it has the root installed and trusted, but still it prompts when authenticating onto the SSID.

If I trust the cert, the iPad is authorised and both UniFi and Smoothwall see the iPad with username so Radius itself is working - it's just the iPad is always prompting to trust a cert?

I've also read that generating a CA-signed cert via IIS request doesn't work, so used OpenSSL to generate a CA and CA-signed cert but that combination throws an error in NPS log "The client could not be authenticated because the EAP Type cannot be processed by the server".  

Any advice either way on joining and authenticating to an NPS server from an iPad without any certificate prompts would be greatfully received.  (We have MDM so can push the necessary certs to it, just can't find a way of it not prompting even if it has it installed!)

iOSWireless NetworkingNetworking

Avatar of undefined
Last Comment
Peter Howarth

8/22/2022 - Mon
David Johnson, CD

you need to have a fqdn that has a certificate that uses the certificate authority chain built into the IPAD.
is your CRL/AIA's available via the internet? In all likelihood you are in a catch-22 situation in that you can't verify the certificate until you connect to the network but in order to connect to the internet you have to ok the certificate.
Peter Howarth

HI David.

How does this work when the Radius server is on my domain, so FQDN is .domain.local not eg .publicdomain.com?

Can I get the NPS server to advertise itself as .publicdomain.com?  

(I have split DNS and my new wifi, old wifi and firewall appliances all advertise themselves as .publicdomain.com and have a realworld cert on them; unfortunately it's a) a wildcard and b) Godaddy which uses intermediates that aren't in the iOS chain store).

Peter Howarth

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes