cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13218
Views
0
Helpful
32
Replies
pak chan
Beginner

Apple ios7 asking to accept wireless certificate multiple times a day

Hi,

After the users upgrade their iphone to ios7, it is asking to accept certificate multiple times a day. For some ios7 users, it ask about 10 times a day to accept certificate to join the wireless network. The user is frustrated about the process to use the wifi network. However, it does not do that in ios6.

The envirnment:

Cisco 5508 - 7.4.100.60

WPA2 Enterprise - Mircosoft IAS

I search the web, didn't find anything related to the issue.

Want to check the forum and see anyone have the same issue

32 REPLIES 32

We ended up purchasing a cert to see if it would take care of the issue and it did.  However, the users still have to trust the cert once (versus accepting it every time they connect).  I spoke with Digicert about this and they said that with iOS and RADIUS authentication you always have to trust the cert at least once.  There's no such thing as a cert that will automatically be trusted for RADIUS authentication.  This is different than regular SSL encryption.  Now that we have trusted the cert my iPhone always connects to the wireless network with no issues and stays connected.  Hopefully this helps.

Interesting! I was considering doing the same thing! Out of curiousity.. what type of digicert did your purchase? wildcard?

Thanks for the reply

no, they recommended their UC cert.  We did add in several alternate names so we could use the cert on multiple RADIUS servers.  When you need to deploy to another RADIUS server you just ask Digicert to send another certificate with the proper name.  There's no cost for additional copies of the cert with different names as long as those names were listed as alternate names to begin with.  I only have one RADIUS server at this site, so I'm not sure how it would work if you have multiple RADIUS servers.  I'm not sure if you would just need to trust each server once and then be good or if the phone would get confused jumping between the servers.

Thank you - after you switch to the new cert in RADIUS do you have to restart your NPS service?

I'm fairly certain you do.  I did just for good measure.

We are using three RADIUS servers - however only one of those servers are a CA server.  Not sure that that helps at all.  I'm not great at RADIUS to begin with - mainly work with our server guys, and this is what they are telling me about the certificates - there is only one certificate authority on one of the RADIUS servers.

      

Also it may matter - but the CA server and one of the RADIUS server is 2003, the other two are 2012R2 servers running NPS.

The issue is if the WLC has 3 radius configured for 802.1x, the reason can be that each radius server has a different certificate.  You need to look at the certificate store for each radius server or look at the radius policy under PEAP and see what certificate your using.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Hello all,

    I seem to be experiencing the same issue as you all. Currently we are using a Cisco 5508 using firmware 7.4.110.0, Using PEAP authentication to a RADIUS server. There are two RADIUS servers, one is purely a failover back-up, so users are not querying that server. The certificate that is being identified is the correct certificate from the Primary Radius server however users are being asked to add the certificate multiple times per day. Any insight on this would be helpful, as I have read the thread and nothing seems to be helping.

Thank you in advance

Andy

With the WLC, the secondary radius server can be used if the primary fails to respond.  Make sure that the certificate that is on both radius servers are the same and not different.  Many times I see the cert with the hostname of the radius server... this means the certificate is different.  you need to create a new cert that is default for both and use that for EAP.  The other certificate can be left as that is used to identify the machine.  I ran into the same thing and that was my fix.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Hi

 

Did you ever find a solution for this? I have the same problem, with almost the same setup. The funny thing is I don't see the issue with 1131 AP's, just the 3702's.

pak chan
Beginner

The fix we found is install the cert. to the phone. So happen we have MDM software can push the cert. to the ios phone.

Steve Berglund
Beginner

Looks like I'm running into this at the moment too. Just put out a Flex 7510 running 7.6.120. Customer iphones running 7.1.1. At least once per day, some iphones will ask to accept a cert, others won't. My Android device doesn't have the problem. 

Running a single RADIUS server for auth. 

Is there any more info on this one?

I have this same setup, I'm running 7.6.130. I experience the same issue with Iphones and Ipads only. anyone get the fix for this on the apple side yet?

Scott Fella
Hall of Fame Guru

If your running multiple radius servers, makes sure your using a single certificate on all radius servers. If not, then these Apple devices will prompt to accept the cert, because the FQDN of the cert is different. 

-Scott

-Scott
*** Please rate helpful posts ***

I feel like there's something else at play here and I can't figure it out! Androids never are re-prompted, iOS devices are...

Here's what I'm running:

WLC-8.0.120.0

2 Radius servers 2012r2 standard (Latest security patches - last week)

1 wildcard certificate (Works fine for both servers as both are same domain)

Radios allowed: all

WPA+WPA2

WPA2 Policy-AES

802.1x

cckm

Multiple prompts a day... (any iOS 8.x)  what other variables are there to look into?

Create
Recognize Your Peers
Content for Community-Ad