10-08-2013 11:23 AM - edited 07-04-2021 01:02 AM
Hi,
After the users upgrade their iphone to ios7, it is asking to accept certificate multiple times a day. For some ios7 users, it ask about 10 times a day to accept certificate to join the wireless network. The user is frustrated about the process to use the wifi network. However, it does not do that in ios6.
The envirnment:
Cisco 5508 - 7.4.100.60
WPA2 Enterprise - Mircosoft IAS
I search the web, didn't find anything related to the issue.
Want to check the forum and see anyone have the same issue
07-07-2015 05:51 AM
We ended up purchasing a cert to see if it would take care of the issue and it did. However, the users still have to trust the cert once (versus accepting it every time they connect). I spoke with Digicert about this and they said that with iOS and RADIUS authentication you always have to trust the cert at least once. There's no such thing as a cert that will automatically be trusted for RADIUS authentication. This is different than regular SSL encryption. Now that we have trusted the cert my iPhone always connects to the wireless network with no issues and stays connected. Hopefully this helps.
07-07-2015 05:57 AM
Interesting! I was considering doing the same thing! Out of curiousity.. what type of digicert did your purchase? wildcard?
Thanks for the reply
07-07-2015 06:00 AM
no, they recommended their UC cert. We did add in several alternate names so we could use the cert on multiple RADIUS servers. When you need to deploy to another RADIUS server you just ask Digicert to send another certificate with the proper name. There's no cost for additional copies of the cert with different names as long as those names were listed as alternate names to begin with. I only have one RADIUS server at this site, so I'm not sure how it would work if you have multiple RADIUS servers. I'm not sure if you would just need to trust each server once and then be good or if the phone would get confused jumping between the servers.
07-07-2015 06:36 AM
Thank you - after you switch to the new cert in RADIUS do you have to restart your NPS service?
07-07-2015 06:37 AM
I'm fairly certain you do. I did just for good measure.
02-25-2014 07:37 AM
We are using three RADIUS servers - however only one of those servers are a CA server. Not sure that that helps at all. I'm not great at RADIUS to begin with - mainly work with our server guys, and this is what they are telling me about the certificates - there is only one certificate authority on one of the RADIUS servers.
Also it may matter - but the CA server and one of the RADIUS server is 2003, the other two are 2012R2 servers running NPS.
02-25-2014 08:17 AM
The issue is if the WLC has 3 radius configured for 802.1x, the reason can be that each radius server has a different certificate. You need to look at the certificate store for each radius server or look at the radius policy under PEAP and see what certificate your using.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
02-27-2014 02:06 PM
Hello all,
I seem to be experiencing the same issue as you all. Currently we are using a Cisco 5508 using firmware 7.4.110.0, Using PEAP authentication to a RADIUS server. There are two RADIUS servers, one is purely a failover back-up, so users are not querying that server. The certificate that is being identified is the correct certificate from the Primary Radius server however users are being asked to add the certificate multiple times per day. Any insight on this would be helpful, as I have read the thread and nothing seems to be helping.
Thank you in advance
Andy
02-27-2014 04:52 PM
With the WLC, the secondary radius server can be used if the primary fails to respond. Make sure that the certificate that is on both radius servers are the same and not different. Many times I see the cert with the hostname of the radius server... this means the certificate is different. you need to create a new cert that is default for both and use that for EAP. The other certificate can be left as that is used to identify the machine. I ran into the same thing and that was my fix.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
03-27-2014 07:07 AM
Hi
Did you ever find a solution for this? I have the same problem, with almost the same setup. The funny thing is I don't see the issue with 1131 AP's, just the 3702's.
03-28-2014 09:02 AM
The fix we found is install the cert. to the phone. So happen we have MDM software can push the cert. to the ios phone.
06-13-2014 11:28 AM
Looks like I'm running into this at the moment too. Just put out a Flex 7510 running 7.6.120. Customer iphones running 7.1.1. At least once per day, some iphones will ask to accept a cert, others won't. My Android device doesn't have the problem.
Running a single RADIUS server for auth.
Is there any more info on this one?
12-11-2014 07:37 PM
I have this same setup, I'm running 7.6.130. I experience the same issue with Iphones and Ipads only. anyone get the fix for this on the apple side yet?
12-11-2014 07:44 PM
If your running multiple radius servers, makes sure your using a single certificate on all radius servers. If not, then these Apple devices will prompt to accept the cert, because the FQDN of the cert is different.
-Scott
03-28-2016 07:28 AM
I feel like there's something else at play here and I can't figure it out! Androids never are re-prompted, iOS devices are...
Here's what I'm running:
WLC-8.0.120.0
2 Radius servers 2012r2 standard (Latest security patches - last week)
1 wildcard certificate (Works fine for both servers as both are same domain)
Radios allowed: all
WPA+WPA2
WPA2 Policy-AES
802.1x
cckm
Multiple prompts a day... (any iOS 8.x) what other variables are there to look into?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide