Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
2
Helpful
4
Replies

Apple devices with enterprise auth / certificate trust

Stuart Patton
Level 1
Level 1

‎12-20-2024 01:07 AM - edited ‎12-20-2024 01:27 AM

Hi,

 

I'm trying to preempt a change of EAP certificate as part of an ISE upgrade we are undertaking and having problems with certificate trust on Apple devices.  We are using a Microsoft CA infrastructure with an offline root and online sub-CA.  Previously, when the EAP certificate was due to expire we've created a CSR on ISE, signed the cert and pushed it out to devices from our MDM in advance.  However, the devices have both the root and sub-CA public certs installed so in my head this step isn't necessary.

 

To test it, we've built a new device, installed the root and sub-CA certs out with Apple Configurator and as soon as we try to join the SSID with the username/password, we get presented with a prompt to trust the EAP cert.  I wasn't sure if the issue is that the device receives the cert, matches the sub-CA cert but cannot reach the CDP/CRL it to verify whether the cert is revoked and so it then prompts the user?

 

I wondered if anyone else has got some ideas/experience?  For info I have been referring to this Apple material:   https://it-training.apple.com/tutorials/deployment/dm150/

 

Thanks,

Stuart

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎12-20-2024 01:10 AM

What EAP you use ?

MHM

0 Helpful

Stuart Patton
Level 1
Level 1
In response to MHM Cisco World

‎12-20-2024 01:15 AM

In the auth rule, the protocol is EAP_TLS_MSCHAPV2

0 Helpful

JPavonM
VIP
VIP

‎12-22-2024 11:13 PM

Do you mean TTLS-EAP-MSCHAPv2?

It happened to me some times that Apple devices ask to validate the cert even if they have it pinned to the wireless profile, or the CA ones are installed in the Trusted Store.

Gaurav Kansal
Level 1
Level 1

‎12-24-2024 01:36 AM

Hi,

After update of certificate, apple devices got prompt for trust. I think this is an extra security feature provided by OEM. Also now days there is an option in WiFi profile setting in Andriod devices under CA certificate TAB "Trust on first use". This is security feature provided by OEMs. Logically this could not happen if CA is known.

Regarding
Gaurav Kansal

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card