cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
1
Helpful
2
Replies

iOS Wireless User Public Certificate not trusted

Bothwalker
Level 1
Level 1

Hello,

we are using ISE 3.1 Patch 6.

For our students we share a wireless network (eduroam) with PEAP (EAP-MS-CHAPv2) and our ISE has a public DigiCert certificate configured. If a user connects with an iPhone he is prompted to trust the certificate. We marked the DigiCert certificate in the ISE as "Trust for client authentication and Syslog" and that didnt work.

So we added an OCSP Client Profile and activated "Use OCSP URLs specified in Authority Information Access (AIA)".

Because we thought we have to activate OCSP stapling on the ISE.

But i get the response:

 

openssl s_client -connect xxx:443 -status
CONNECTED(00000005)
OCSP response: no response sent
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = CH, L = xxx, CN = xxx
verify return:1
write W BLOCK

 

OCSP response: no response sent

Does anyone have an idea what is wrong? I rebooted the ISE after changing the "Trust for client authentication and Syslog" option.

Best

Mathias

 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Oh the prickly subject of iOS and certificate trust during EAP negotiation. I am pretty sure this is standard behaviour of iOS supplicants. The only way to not get these cert warnings is to push a profile to the iOS device (MDM or Apple Configurator) - then it will connect to the SSID without complaints.

I stand to be corrected on this.

As for OCSP stapling - we are not in control of Digicert CA - I am no OCSP guru, but as far as I know, their OCSP responder would be the one that stables the CA cert chain in the response if it's configured to do so. The ISE EAP server certificate is sent to the client during the TLS establishment ("Server Hello") along with the entire CA chain. You can capture the conversation in a wireshark trace to see it all. The problem is that iOS still doesn't trust the ISE cert on the first connection attempt - extreme paranoia.

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Oh the prickly subject of iOS and certificate trust during EAP negotiation. I am pretty sure this is standard behaviour of iOS supplicants. The only way to not get these cert warnings is to push a profile to the iOS device (MDM or Apple Configurator) - then it will connect to the SSID without complaints.

I stand to be corrected on this.

As for OCSP stapling - we are not in control of Digicert CA - I am no OCSP guru, but as far as I know, their OCSP responder would be the one that stables the CA cert chain in the response if it's configured to do so. The ISE EAP server certificate is sent to the client during the TLS establishment ("Server Hello") along with the entire CA chain. You can capture the conversation in a wireshark trace to see it all. The problem is that iOS still doesn't trust the ISE cert on the first connection attempt - extreme paranoia.

Agree with @Arne Bier here.  An MDM is the only way to accomplish this with any sort of manageability and scale.