cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14637
Views
11
Helpful
9
Replies

EAP certificate - not trusted by "some" BYOD devices?

dazza_johnson
Level 5
Level 5

I'm doing EAP authentication and BYOD devices are enrolled using Microsoft InTune (whereby a WiFi profile is pushed to the device, including certs, trusted certs, SSID, etc). What I am being told is that Android devices are accepting the ISE EAP certificate (its trusted after all) but iPhones/iPads always prompt the first time to accept the ISE EAP certificate - even though its in the trusted store.

I appreciate this is an ISE forum and not an Android/iDevice forum, but wondered what the forum experience is here? I heard from a colleague that iDevices don't use the trusted cert store for WiFi and that the user must validate the cert the first time whether it is trusted or not. Once trusted it is stored in the wireless profile (forever or until you remove the wireless profile).

Thoughts guys? Any other peculiarities discovered in the field with other BYOD devices not accepting EAP certificates until the user has manually accepted them?

1 Accepted Solution

Accepted Solutions

Alright i tested it again.

On Apple iOS and macOS Devices you can publish trusted Certificates with Apple Configurator or a MDM/EMM Solution. For a WPA2 Enterprise Wireless Profile you have 2 options to avoid the certificate warnings.

1. Publish the Cert via Profile to the device, even if you are using Public Certs for Radius.

on Meraki MDM for example go to MDM - Settings choose a profile and select Credential, upload your CA Cert and give it a name. Now you can configure your wireless and set the uploaded CA as trusted for this connection.

2. Trust the Subject CN of the Radius Cert

with this option you have to enter the CN of the Radius Cert which will be trusted for the Connection.

you can also combine both methods to lockdown the profile a bit. Without any of these options the user has to click the wireless connection for the 1st time and accept the Certificate Warning.

mdm-cert.JPG

View solution in original post

9 Replies 9

hslai
Cisco Employee
Cisco Employee

If the WiFi profiles are deployed via MDM, I would not expect Apple iDevices to prompt unless the WiFi profiles not including the root certificate(s) for ISE PSNs. The prompting to trust does occur for ad-hoc connections; e.g. during single-SSID BYOD. The same observed on Apple macOS and, at times, some Windows client OS.

Recently Android 7.1.x started to mandate selecting an option for CA certificate and specifying the Domain. We've documented this in the foot-note 11 under Table 3 of Cisco Identity Services Engine Network Component Compatibility, Release 2.1 - Cisco.

Timothy Abbott
Cisco Employee
Cisco Employee

Hi Darren,

iOS devices always behave this way regardless if the RADIUS server certificate is signed by a trusted authority.  When an iOS device connects to a new RADIUS server for the first time it will always prompt the end user to trust the server's certificate.  To get around the issue of having to prompt the user to accept the certificate while roaming in and ISE deployment, we recommend using wildcard certificates.

Regards,

-Tim

Thanks Tim. Do get around this you can also use a single EAP certificate that is shared amongst all ISE nodes, the CN and SAN doesn't need to match the ISE PSNs so the CN can just say something like ise.eap.customerx.com - no need for wildcard masks if it is just used for EAP.

if you are using a MDM you can publish a trusted cert CN for the Wireless Connection. If the device trusts the cert chain it will not prompt the user to accept the radius cert except it changes.

mdm-cert.JPG

if you deploy the wifi profile without this option the user will also be prompted to accept the radius cert even if  you trust the cert chain.

Thanks Oliver. This conflicts to what others are saying and what my client says they saw. The MDM was publishing a trusted cert but on iOS devices they were always prompted (on the first connection) to accept the cert. The previous comments on this discussion indicate this is normal iOS behaviour - but you see otherwise in the field?

Hi Tim,

 

I have a customer in a very similar situation with their Apple iOS devices. Is there any to get around this problem if they're not using wildcard certificates?

hslai
Cisco Employee
Cisco Employee

What Oliver said is what I expected and similar to what I responded earlier.

I have not tested with MDM but used Apple Configurator 2 (or Apple iPhone Configuration Utilities for earlier Apple iOS/macOS releases) to add WiFi profiles. And I usually add the CA root certificate instead of the ISE server certificate(s) so the same profile can apply, in case ISE PSNs not using the same certificate for EAP. Last I tried that, it worked as expected and not prompting users to trust again as the trust is specified as part of the configuration profile that includes the WiFi network name(s), certificates, etc.

I could not find my test screenshots but it's similar to Steps 11 ~ 16 of Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES) – Windows PKI blog

Alright i tested it again.

On Apple iOS and macOS Devices you can publish trusted Certificates with Apple Configurator or a MDM/EMM Solution. For a WPA2 Enterprise Wireless Profile you have 2 options to avoid the certificate warnings.

1. Publish the Cert via Profile to the device, even if you are using Public Certs for Radius.

on Meraki MDM for example go to MDM - Settings choose a profile and select Credential, upload your CA Cert and give it a name. Now you can configure your wireless and set the uploaded CA as trusted for this connection.

2. Trust the Subject CN of the Radius Cert

with this option you have to enter the CN of the Radius Cert which will be trusted for the Connection.

you can also combine both methods to lockdown the profile a bit. Without any of these options the user has to click the wireless connection for the 1st time and accept the Certificate Warning.

mdm-cert.JPG

Brilliant, thanks Oliver.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: