Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
1
Helpful
2
Replies

iOS Wireless User Public Certificate not trusted

Go to solution
Bothwalker
Level 1
Level 1

‎05-16-2023 03:37 AM

Hello,

we are using ISE 3.1 Patch 6.

For our students we share a wireless network (eduroam) with PEAP (EAP-MS-CHAPv2) and our ISE has a public DigiCert certificate configured. If a user connects with an iPhone he is prompted to trust the certificate. We marked the DigiCert certificate in the ISE as "Trust for client authentication and Syslog" and that didnt work.

So we added an OCSP Client Profile and activated "Use OCSP URLs specified in Authority Information Access (AIA)".

Because we thought we have to activate OCSP stapling on the ISE.

But i get the response:

 

openssl s_client -connect xxx:443 -status
CONNECTED(00000005)
OCSP response: no response sent
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = CH, L = xxx, CN = xxx
verify return:1
write W BLOCK

 

OCSP response: no response sent

Does anyone have an idea what is wrong? I rebooted the ISE after changing the "Trust for client authentication and Syslog" option.

Best

Mathias

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-17-2023 03:26 PM

Oh the prickly subject of iOS and certificate trust during EAP negotiation. I am pretty sure this is standard behaviour of iOS supplicants. The only way to not get these cert warnings is to push a profile to the iOS device (MDM or Apple Configurator) - then it will connect to the SSID without complaints.

I stand to be corrected on this.

As for OCSP stapling - we are not in control of Digicert CA - I am no OCSP guru, but as far as I know, their OCSP responder would be the one that stables the CA cert chain in the response if it's configured to do so. The ISE EAP server certificate is sent to the client during the TLS establishment ("Server Hello") along with the entire CA chain. You can capture the conversation in a wireshark trace to see it all. The problem is that iOS still doesn't trust the ISE cert on the first connection attempt - extreme paranoia.

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎05-17-2023 03:26 PM

Oh the prickly subject of iOS and certificate trust during EAP negotiation. I am pretty sure this is standard behaviour of iOS supplicants. The only way to not get these cert warnings is to push a profile to the iOS device (MDM or Apple Configurator) - then it will connect to the SSID without complaints.

I stand to be corrected on this.

As for OCSP stapling - we are not in control of Digicert CA - I am no OCSP guru, but as far as I know, their OCSP responder would be the one that stables the CA cert chain in the response if it's configured to do so. The ISE EAP server certificate is sent to the client during the TLS establishment ("Server Hello") along with the entire CA chain. You can capture the conversation in a wireshark trace to see it all. The problem is that iOS still doesn't trust the ISE cert on the first connection attempt - extreme paranoia.

Go to solution
ahollifield
VIP
VIP
In response to Arne Bier

‎05-18-2023 06:27 AM

Agree with @Arne Bier here.  An MDM is the only way to accomplish this with any sort of manageability and scale.

0 Helpful
Customers Also Viewed These Support Documents