troubleshooting Question

iOS Radius auth to NPS Server 2012

Avatar of Peter Howarth
Peter HowarthFlag for United Kingdom of Great Britain and Northern Ireland asked on
iOSWireless NetworkingNetworking
3 Comments1 Solution154 ViewsLast Modified:
Hi.

We want to use Radius for our iOs/Wifi BYOD wifi network, with AD username/password auth (not TLS device certificates).

I've got Server 2012 R2 installed with NPS up and running, but as iOS doesn't trust the builtin (server.domain.internal) certificate, it prompts the user to trust it. I'm trying to get it working without any cert prompt.

I've installed and generated our CA domain certificate and pushed that to the iPads via MDM, and I can see that appearing on the iPad. Because it's gone via MDM, it's already set to "Enable full trust for root certs" by default.

I've then generated a CA-signed cert for the NPS server and selected it within NPS > Network Policies > Constraints > Microsoft PEAP.

When you connect an iPad to the SSID, it prompts for credentials correctly then prompts to trust the NPS Cert - but it is signed by our CA which the iPad already
trusts.  Should it not just trust the NPS cert??  I've also added the NPS cert to the iPad, seen that it is "Trusted" as it has the root installed and trusted, but still it prompts when authenticating onto the SSID.

If I trust the cert, the iPad is authorised and both UniFi and Smoothwall see the iPad with username so Radius itself is working - it's just the iPad is always prompting to trust a cert?

I've also read that generating a CA-signed cert via IIS request doesn't work, so used OpenSSL to generate a CA and CA-signed cert but that combination throws an error in NPS log "The client could not be authenticated because the EAP Type cannot be processed by the server".  

Any advice either way on joining and authenticating to an NPS server from an iPad without any certificate prompts would be greatfully received.  (We have MDM so can push the necessary certs to it, just can't find a way of it not prompting even if it has it installed!)

Peter
ASKER CERTIFIED SOLUTION
Peter Howarth
IT Network Manager

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros