Forum Discussion

SRoach's avatar
SRoach
Brass Contributor
Dec 05, 2018

Devices not connecting to WPA2 Enterprise (EAP-TLS) wireless network automatically

I'm currently using Intune to push a wireless profile to iOS devices and encountering issues connecting automatically to the wireless network in question. Here is the scenario:

 

  • Device types: iPhones & iPads
  • OS version: 12.1
  • Authentication method: EAP-TLS
  • Client Certificate: Device certificate via SCEP
  • Client certificate type: Device cert


In my case, the root CA cert is being delivered to the devices. The client certificate is successfully being requested by the device using SCEP. The Wi-Fi profile is also being pushed out to the device successfully.  I've even tried pushing out the intermediate CA that issues the certificates for the authentication server and client devices as a trusted certificate.

 

When users attempt to connect to the wireless network, they are prompted for credentials. They then have to select the client certificate and the encryption type before connecting to the network. Once users select the certificate, they connect successfully. What I would like is for this step to be avoided to improve the user experience and to eliminate the likelihood of users selecting the wrong certificate. Is this even possible or will the user always be required to select the cert? I've been told it is.

 

It's not even a case where the certificate being presented by the authentication server is not trusted. The device though seems unable to identify which certificate to present to the authentication server for authentication.

 

 

  • I believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).

     

    It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.

     

    Get a support call logged and add your name to the list of customers with this issue.

  • I believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).

     

    It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.

     

    Get a support call logged and add your name to the list of customers with this issue.

    • SRoach's avatar
      SRoach
      Brass Contributor

      Thanks Andrew.

       

      I've been banging my head against the wall with this issue for a couple weeks.

       

      I've opened a case with Microsoft so hopefully, they shed some light on the issue soon.

       

      Do you know whether there are any public comms on the issue?  Do you know whether it's primarily an Intune issue, iOS or a bit of both?

      • Andrew Matthews's avatar
        Andrew Matthews
        Iron Contributor

        There is no public comms because Microsoft support are treating it as an edge case.

         

        The issue appears to be partially Intune and partially iOS. An identical configuration profile works on Android because Android does not appear to care about certificate trust!

    • SRoach's avatar
      SRoach
      Brass Contributor
      Hi Andrew,

      Did you make any headway with Microsoft regarding the support call the organisation you work with has open?
      • Andrew Matthews's avatar
        Andrew Matthews
        Iron Contributor

        The case is still with Engineering as far as I know. I would advise opening your own support case.

         

        This might need a change from Apple because the options to create a Wi-Fi profile with the correct root certificates are missing from the Apple configurator. 

Resources