iOS Radius auth to NPS Server 2012
Hi.
We want to use Radius for our iOs/Wifi BYOD wifi network, with AD username/password auth (not TLS device certificates).
I've got Server 2012 R2 installed with NPS up and running, but as iOS doesn't trust the builtin (server.domain.internal) certificate, it prompts the user to trust it. I'm trying to get it working without any cert prompt.
I've installed and generated our CA domain certificate and pushed that to the iPads via MDM, and I can see that appearing on the iPad. Because it's gone via MDM, it's already set to "Enable full trust for root certs" by default.
I've then generated a CA-signed cert for the NPS server and selected it within NPS > Network Policies > Constraints > Microsoft PEAP.
When you connect an iPad to the SSID, it prompts for credentials correctly then prompts to trust the NPS Cert - but it is signed by our CA which the iPad already
trusts. Should it not just trust the NPS cert?? I've also added the NPS cert to the iPad, seen that it is "Trusted" as it has the root installed and trusted, but still it prompts when authenticating onto the SSID.
If I trust the cert, the iPad is authorised and both UniFi and Smoothwall see the iPad with username so Radius itself is working - it's just the iPad is always prompting to trust a cert?
I've also read that generating a CA-signed cert via IIS request doesn't work, so used OpenSSL to generate a CA and CA-signed cert but that combination throws an error in NPS log "The client could not be authenticated because the EAP Type cannot be processed by the server".
Any advice either way on joining and authenticating to an NPS server from an iPad without any certificate prompts would be greatfully received. (We have MDM so can push the necessary certs to it, just can't find a way of it not prompting even if it has it installed!)
Peter
We want to use Radius for our iOs/Wifi BYOD wifi network, with AD username/password auth (not TLS device certificates).
I've got Server 2012 R2 installed with NPS up and running, but as iOS doesn't trust the builtin (server.domain.internal) certificate, it prompts the user to trust it. I'm trying to get it working without any cert prompt.
I've installed and generated our CA domain certificate and pushed that to the iPads via MDM, and I can see that appearing on the iPad. Because it's gone via MDM, it's already set to "Enable full trust for root certs" by default.
I've then generated a CA-signed cert for the NPS server and selected it within NPS > Network Policies > Constraints > Microsoft PEAP.
When you connect an iPad to the SSID, it prompts for credentials correctly then prompts to trust the NPS Cert - but it is signed by our CA which the iPad already
trusts. Should it not just trust the NPS cert?? I've also added the NPS cert to the iPad, seen that it is "Trusted" as it has the root installed and trusted, but still it prompts when authenticating onto the SSID.
If I trust the cert, the iPad is authorised and both UniFi and Smoothwall see the iPad with username so Radius itself is working - it's just the iPad is always prompting to trust a cert?
I've also read that generating a CA-signed cert via IIS request doesn't work, so used OpenSSL to generate a CA and CA-signed cert but that combination throws an error in NPS log "The client could not be authenticated because the EAP Type cannot be processed by the server".
Any advice either way on joining and authenticating to an NPS server from an iPad without any certificate prompts would be greatfully received. (We have MDM so can push the necessary certs to it, just can't find a way of it not prompting even if it has it installed!)
Peter
ASKER
HI David.
How does this work when the Radius server is on my domain, so FQDN is .domain.local not eg .publicdomain.com?
Can I get the NPS server to advertise itself as .publicdomain.com?
(I have split DNS and my new wifi, old wifi and firewall appliances all advertise themselves as .publicdomain.com and have a realworld cert on them; unfortunately it's a) a wildcard and b) Godaddy which uses intermediates that aren't in the iOS chain store).
Peter
How does this work when the Radius server is on my domain, so FQDN is .domain.local not eg .publicdomain.com?
Can I get the NPS server to advertise itself as .publicdomain.com?
(I have split DNS and my new wifi, old wifi and firewall appliances all advertise themselves as .publicdomain.com and have a realworld cert on them; unfortunately it's a) a wildcard and b) Godaddy which uses intermediates that aren't in the iOS chain store).
Peter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is your CRL/AIA's available via the internet? In all likelihood you are in a catch-22 situation in that you can't verify the certificate until you connect to the network but in order to connect to the internet you have to ok the certificate.