iOS WiFi Profile with WPA2-Enterprise

%3CLINGO-SUB%20id%3D%22lingo-sub-1122248%22%20slang%3D%22en-US%22%3EiOS%20WiFi%20Profile%20with%20WPA2-Enterprise%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1122248%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20having%20issues%20setting%20up%20a%20new%20batch%20of%20iPhone%2011s%20with%20iOS%2013.3.1%20with%20a%20WiFi%20profile%20from%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESetup%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EActive%20Directory%20Domain%20controller%20running%20Windows%20Server%202008%20(yes%20I%20know...)%3C%2FLI%3E%3CLI%3ENetwork%20Policy%20Server%20running%20on%20Windows%20Server%202012%20R2%20configured%20for%20PEAP%20with%20username%20%26amp%3B%20password.%20Users%20in%20the%20AD's%20domain%20user%20group%20are%20allowed%20access.%3C%2FLI%3E%3CLI%3EUbiquiti%20AP%20AC%20PRO%20(these%20always%20run%20latest%20firmware).%20These%20have%20been%20setup%20as%20RADIUS%20clients%20to%20the%20NPS.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20tested%20and%20verified%20that%20a%20user%20can%20connect%20to%20the%20WiFi%20using%20WPA2-Enterprise%20using%20iPhone%206s%20with%20iOS%2013.3%20by%20manually%20connecting%20to%20the%20SSID%20then%20inputting%20their%20AD%20credenetials%20in%20the%20format%20%3CEM%3Euser%40domain.dom.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMethod%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1)%20Exported%20the%20CA's%20root%20certificate%20and%20then%20created%20an%20Intune%20profile%20to%20distribute%20the%20certificate%20to%20the%20iPhones.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20Setup%20a%20Device%20Configuration%20profile%20WiFi%20profile%20for%20iOS%20platform.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWiFi%20type%3A%20Enterprise%3C%2FP%3E%3CP%3ENetwork%20Name%3A%20%3CEM%3EOur%20WiFi%3C%2FEM%3E%3C%2FP%3E%3CP%3ESSID%3A%20Internal%3C%2FP%3E%3CP%3EConnect%20Automatically%3A%20Enable%3C%2FP%3E%3CP%3EHidden%20Network%3A%20Disable%3C%2FP%3E%3CP%3EEAP%20Type%3A%20PEAP%3C%2FP%3E%3CP%3EServer%20Trust%3C%2FP%3E%3CP%3ECertificate%20Server%20Name%3C%2FP%3E%3CP%3Enps.internal.dom%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERoot%20Certificate%3A%20Our%20CA's%20root%20certificate%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20We%20then%20assigned%20to%20the%20iPhones.%26nbsp%3B%20Users%20were%20then%20prompted%20for%20an%20account%20to%20connect%20to%20the%20SSID%20with.%20When%20they%20do%20this%20they%20are%20able%20to%20connect%20to%20the%20WiFi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EProblem%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEventually%20the%20WiFi%20connection%20is%20dropped%20and%20the%20next%20time%20a%20user%20unlocks%20their%20phone%20they%20are%20prompted%20for%20the%20WiFi%20username%20and%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20it%20appears%20to%20be%20doing%20is%20overriding%20the%20username%20and%20password%20that%20the%20user%20input%20into%20the%20prompt%20on%20the%20phone.%20It%20should%20be%20using%20their%20internal%20AD%20username%20%26amp%3B%20password%20but%20it%20appears%20to%20be%20overriding%20the%20username%20with%20the%20user's%20Office%20365%20username.%20These%20are%20not%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBizzarely%20we%20had%20one%20iPhone%20XS%20prior%20to%20this%20which%20had%20the%20WiFi%20profile%20but%20did%20not%20get%20similar%20issues.%20The%20iPhone%2011s%20have%20been%20provisioned%20using%20the%20Apple%20configurator%20but%20the%20XS%20hasn't.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20faced%20similar%20issues%20and%20how%20did%20you%20overcome%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1122248%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1579320%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20WiFi%20Profile%20with%20WPA2-Enterprise%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579320%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F528260%22%20target%3D%22_blank%22%3E%40Sc0tty_%3C%2FA%3E%26nbsp%3Bdid%20you%20solve%20this%3F%20I've%20a%20similar%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EHans-Johan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1580721%22%20slang%3D%22en-US%22%3ERe%3A%20iOS%20WiFi%20Profile%20with%20WPA2-Enterprise%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1580721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F755181%22%20target%3D%22_blank%22%3E%40KITHJH%3C%2FA%3Ewe%20never%20managed%20to%20solve%20the%20problem.%20Our%20office%20is%20now%20closed%20due%20to%20the%20COVID-19%20pandemic%20and%20we%20won't%20be%20working%20on%20the%20problem%20for%20the%20foreseable%20future%20unfortunately.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We are having issues setting up a new batch of iPhone 11s with iOS 13.3.1 with a WiFi profile from Intune.

 

Setup

  • Active Directory Domain controller running Windows Server 2008 (yes I know...)
  • Network Policy Server running on Windows Server 2012 R2 configured for PEAP with username & password. Users in the AD's domain user group are allowed access.
  • Ubiquiti AP AC PRO (these always run latest firmware). These have been setup as RADIUS clients to the NPS.

 

We tested and verified that a user can connect to the WiFi using WPA2-Enterprise using iPhone 6s with iOS 13.3 by manually connecting to the SSID then inputting their AD credenetials in the format user@domain.dom.

 

Method

1) Exported the CA's root certificate and then created an Intune profile to distribute the certificate to the iPhones.

 

2) Setup a Device Configuration profile WiFi profile for iOS platform.

 

WiFi type: Enterprise

Network Name: Our WiFi

SSID: Internal

Connect Automatically: Enable

Hidden Network: Disable

EAP Type: PEAP

Server Trust

Certificate Server Name

nps.internal.dom

 

Root Certificate: Our CA's root certificate profile.

 

3) We then assigned to the iPhones.  Users were then prompted for an account to connect to the SSID with. When they do this they are able to connect to the WiFi.

 

Problem

Eventually the WiFi connection is dropped and the next time a user unlocks their phone they are prompted for the WiFi username and password.

 

What it appears to be doing is overriding the username and password that the user input into the prompt on the phone. It should be using their internal AD username & password but it appears to be overriding the username with the user's Office 365 username. These are not the same.

 

Bizzarely we had one iPhone XS prior to this which had the WiFi profile but did not get similar issues. The iPhone 11s have been provisioned using the Apple configurator but the XS hasn't.

 

Has anyone else faced similar issues and how did you overcome this?

 

 

 

 

 

 

 

 

 

2 Replies

@Sc0tty_ did you solve this? I've a similar problem.

 

Thanks!

 

Regards,

Hans-Johan

@KITHJHwe never managed to solve the problem. Our office is now closed due to the COVID-19 pandemic and we won't be working on the problem for the foreseable future unfortunately.