SOLVED

Devices not connecting to WPA2 Enterprise (EAP-TLS) wireless network automatically

Brass Contributor

I'm currently using Intune to push a wireless profile to iOS devices and encountering issues connecting automatically to the wireless network in question. Here is the scenario:

 

  • Device types: iPhones & iPads
  • OS version: 12.1
  • Authentication method: EAP-TLS
  • Client Certificate: Device certificate via SCEP
  • Client certificate type: Device cert


In my case, the root CA cert is being delivered to the devices. The client certificate is successfully being requested by the device using SCEP. The Wi-Fi profile is also being pushed out to the device successfully.  I've even tried pushing out the intermediate CA that issues the certificates for the authentication server and client devices as a trusted certificate.

 

When users attempt to connect to the wireless network, they are prompted for credentials. They then have to select the client certificate and the encryption type before connecting to the network. Once users select the certificate, they connect successfully. What I would like is for this step to be avoided to improve the user experience and to eliminate the likelihood of users selecting the wrong certificate. Is this even possible or will the user always be required to select the cert? I've been told it is.

 

It's not even a case where the certificate being presented by the authentication server is not trusted. The device though seems unable to identify which certificate to present to the authentication server for authentication.

 

 

9 Replies
best response confirmed by Samuel Roach (Brass Contributor)
Solution

I believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).

 

It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.

 

Get a support call logged and add your name to the list of customers with this issue.

Thanks Andrew.

 

I've been banging my head against the wall with this issue for a couple weeks.

 

I've opened a case with Microsoft so hopefully, they shed some light on the issue soon.

 

Do you know whether there are any public comms on the issue?  Do you know whether it's primarily an Intune issue, iOS or a bit of both?

There is no public comms because Microsoft support are treating it as an edge case.

 

The issue appears to be partially Intune and partially iOS. An identical configuration profile works on Android because Android does not appear to care about certificate trust!

Thanks Andrew,

 

I thought as much.  My next step was to deploy to Android devices when I'm back on site to see whether I encountered the same issue.

 

Let's see what Microsoft support comes back with.

Hi Andrew,

Did you make any headway with Microsoft regarding the support call the organisation you work with has open?

The case is still with Engineering as far as I know. I would advise opening your own support case.

 

This might need a change from Apple because the options to create a Wi-Fi profile with the correct root certificates are missing from the Apple configurator. 

I do have my own case open... for the past 40 days now but support has been slow.

 

Interestingly, devices enrolled yesterday have started connecting to the Wi-Fi network automatically since I had a chat with an escalation engineer and even though I haven't made any changes to the profiles so perhaps it's being resolved on the backend.  I'll see if this happens consistently as more users enrol onto Intune in the next few weeks.  Hopefully it does.

@Samuel Roach Is this working for you now? We're looking at doing something very similar with Windows and iOS devices soon.

@Samuel Roach ...

Hi Sam,
Did you use the wireless profiler from Intune or Custom XML profile for WPA2 Enterprise
1 best response

Accepted Solutions
best response confirmed by Samuel Roach (Brass Contributor)
Solution

I believe that there is an engineering issue with certificate authentication and the WiFi profiles on iOS (an organisation that I work with has an open product support call).

 

It looks like the configuration profile is only accepted by iOS devices if the root cert is the issuing CA for the SCEP certificate. In an enterprise with tiered CA's and a mix of certificate trust relationships then that just doesn't work.

 

Get a support call logged and add your name to the list of customers with this issue.

View solution in original post