Issue accessing internal resources from mobiles on internal-wifi using certificates
Hey EE,
We want to install our internal root certs on all mobile phones in our org through BES UEM so that once the employee's phones
registered on BES, connect to Corportate-Wifi, they have access to internal resources like sharepoint / RDP etc.
In this question though, please ignore the BES pushing part as currently we are in the testing phase and BES is not in the question,
just trying to clear my concepts and installing cert manually for now. We are doing this so that only the authorized company phones
are able to get to our internal resources.
We are using BES UEM interface to push the certs to iphones, androids, and Blackberries. So far starting our test with iPhone only.
With BES UEM I am only able to push certs in format - .der, .cer, .key, .pem, .crt which makes sense as we do not want
to push .pfx as it contains private key too.
These certs are provided by our Network team to us in server team and so far I am not sure how they were created and using
which internal root CA servers but I am told that they should be working as tested by installing them manually on the phone. I got the cert
file in two different formats - .cer and .pfx
Issue is that if install the .CER file manually on test iphone, it installs fine, user connects to Corporate-Wifi ( which installs another wifi cert )
And ABLE to browse internet but NOT ABLE to access internal resources like sharepoint or RDP to servers.
On the other hand, we are able to access internet as well as internal resources like rdp through .PFX certificate file format.
By manually installing "pfx file" on the iphone ( in order to install it on the iphone user need to enter password/private key for it manually, which is another issue), and connecting to wifi, and while connecting to wifi, changing mode to EAP-TLS ( from automatic ) and selecting "identity" as that installed cert iphone is able to access sharepoint and RDP.
One tech suggested, to import and export the known working .pfx cert file in IE to strip out the private key and convert it into .cer file, I tried installing it on the phone
it installs but the while connecting to Corporate-wifi and choosing identity – it doesn’t show this cert is installed on the phone. and therefore it doesnt work.
I am not too experienced with how certs works, so I got the following questions for you guys:
1. Any suggestion on why .PFX version of cert, is working on the iphone to access internal resources while .cer doesn't ?
2. My understanding is that .pfx file shouldn't be used to install certs on the phones as it contains the private key and always .cer files should be users. Is that correct ?
3. How do we generate the right .cer file that once pushed can simply install on the iphone without many manual prompts and be able to allow users access internet as well
as internal resources like sharepoint and RDP without any security warnings.
Thanks a ton in advance!
Thanks,
We want to install our internal root certs on all mobile phones in our org through BES UEM so that once the employee's phones
registered on BES, connect to Corportate-Wifi, they have access to internal resources like sharepoint / RDP etc.
In this question though, please ignore the BES pushing part as currently we are in the testing phase and BES is not in the question,
just trying to clear my concepts and installing cert manually for now. We are doing this so that only the authorized company phones
are able to get to our internal resources.
We are using BES UEM interface to push the certs to iphones, androids, and Blackberries. So far starting our test with iPhone only.
With BES UEM I am only able to push certs in format - .der, .cer, .key, .pem, .crt which makes sense as we do not want
to push .pfx as it contains private key too.
These certs are provided by our Network team to us in server team and so far I am not sure how they were created and using
which internal root CA servers but I am told that they should be working as tested by installing them manually on the phone. I got the cert
file in two different formats - .cer and .pfx
Issue is that if install the .CER file manually on test iphone, it installs fine, user connects to Corporate-Wifi ( which installs another wifi cert )
And ABLE to browse internet but NOT ABLE to access internal resources like sharepoint or RDP to servers.
On the other hand, we are able to access internet as well as internal resources like rdp through .PFX certificate file format.
By manually installing "pfx file" on the iphone ( in order to install it on the iphone user need to enter password/private key for it manually, which is another issue), and connecting to wifi, and while connecting to wifi, changing mode to EAP-TLS ( from automatic ) and selecting "identity" as that installed cert iphone is able to access sharepoint and RDP.
One tech suggested, to import and export the known working .pfx cert file in IE to strip out the private key and convert it into .cer file, I tried installing it on the phone
it installs but the while connecting to Corporate-wifi and choosing identity – it doesn’t show this cert is installed on the phone. and therefore it doesnt work.
I am not too experienced with how certs works, so I got the following questions for you guys:
1. Any suggestion on why .PFX version of cert, is working on the iphone to access internal resources while .cer doesn't ?
2. My understanding is that .pfx file shouldn't be used to install certs on the phones as it contains the private key and always .cer files should be users. Is that correct ?
3. How do we generate the right .cer file that once pushed can simply install on the iphone without many manual prompts and be able to allow users access internet as well
as internal resources like sharepoint and RDP without any security warnings.
Thanks a ton in advance!
Thanks,
PFX on phone is alright
Unlike most TLS implementations of HTTPS, such as on the WWW, most implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use.
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates a convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage.
The highest security available is when the "private keys" of client-side certificate are housed in smart cards or certificate stores. This is because there is no way to steal a client-side certificate's private key from a smart card or certificate store without stealing the card or device itself.
In gist, EAP-TLS can be used in WPA2-Enterprise networks using 802.1x to authenticate users. EAP-TLS uses certificates to allow the client and your RADIUS server to mutually authenticate and mutually verify the server (RADIUS) and the client. Likely there is different authentication requirements configured for your 2 networks.
Unlike most TLS implementations of HTTPS, such as on the WWW, most implementations of EAP-TLS require client-side X.509 certificates without giving the option to disable the requirement, even though the standard does not mandate their use.
The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates a convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage.
The highest security available is when the "private keys" of client-side certificate are housed in smart cards or certificate stores. This is because there is no way to steal a client-side certificate's private key from a smart card or certificate store without stealing the card or device itself.
In gist, EAP-TLS can be used in WPA2-Enterprise networks using 802.1x to authenticate users. EAP-TLS uses certificates to allow the client and your RADIUS server to mutually authenticate and mutually verify the server (RADIUS) and the client. Likely there is different authentication requirements configured for your 2 networks.
I found from experience that pushing certs to iphones and making them accept the certificate was a pain, especially if they are self sign. A good tool that I found to push certs that made it easy was Apple Configurator2. It is easy to manage and install certs to your apple devices. I created a profile with the .cert I wanted to install on the devices and then deployed that profile to our apple devices. I had to accept a few prompts and then verified that the certificate was enabled on the phone.
Check it out here https://support.apple.com/apple-configurator
Also have you tried other phones besides an iphone ?
Check it out here https://support.apple.com/apple-configurator
Also have you tried other phones besides an iphone ?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I would suggest speaking to your network team