New Wireless clients certificate not verified

Answered Question
Feb 6th, 2014
User Badges:

Whenever a new clients login using SSID Green,using cisco WLC 4404, there is a prompt saying certificate is not valid. No doubt, clients can connect once they accept the certificate. Is there anyway I can remove this prompt? We have ACS doing authentication.The certificate is signed by authorized bodies? Please advice

Correct Answer by George Stefanick about 3 years 6 months ago

I have indeed.


Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.


Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12


You can also use a tool like Jamf for MACs to make and push profiles.


Hope this helps ..








__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

Correct Answer by George Stefanick about 3 years 6 months ago

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..





Sent from Cisco Technical Support iPad App

Correct Answer by Scott Fella about 3 years 6 months ago

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

Correct Answer by Sandeep Choudhary about 3 years 6 months ago

Is it happening with all client or only with Apple devices ??


Also chekc this:  Configure your clients to not check the trust path of your RADIUS  server's certificate (i.e., uncheck the box that says "validate server  certificates").




Reagrds

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
rakeshvelagala Thu, 02/06/2014 - 00:48
User Badges:

Do we need to import this cert to ACS or anything setting to be changed in WLC? Please advice

Correct Answer
Sandeep Choudhary Thu, 02/06/2014 - 00:57
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Is it happening with all client or only with Apple devices ??


Also chekc this:  Configure your clients to not check the trust path of your RADIUS  server's certificate (i.e., uncheck the box that says "validate server  certificates").




Reagrds

rakeshvelagala Thu, 02/06/2014 - 01:05
User Badges:

Hi Sandeep,


Only with Apple devices. But our management do not want to have this prompt at all. Any advice?

Scott Fella Thu, 02/06/2014 - 01:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

This is typical of Apple iPads and iPhones. Here is a good article in explaining how to install your root ca certificate on an iPad or iPhone. Don't worry that this isn't for wireless, because the process is the same.

http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificat...

Sent from Cisco Technical Support iPhone App

rakeshvelagala Thu, 02/06/2014 - 01:21
User Badges:

Hi Scott,


Thanks for the reply. But is there any other way where this prompt will not even be seen on the apple devices? Any changes if we can do on ACS or WLC? Please advice.

Correct Answer
Scott Fella Thu, 02/06/2014 - 01:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

Correct Answer
George Stefanick Thu, 02/06/2014 - 05:29
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..





Sent from Cisco Technical Support iPad App

rakeshvelagala Thu, 02/06/2014 - 07:47
User Badges:

Hi George Stefanick,


Thanks for your feedback. Just to check have you tried "push a WLAN profile to the device with the cert " and able to authenticate successfully without the pop up?


If yes, can you please kindly share the doc on how to push a profile to device?.


Thanks for your great help.

rakeshvelagala Thu, 02/06/2014 - 07:53
User Badges:

Hi George Stefanick,


I am waiting for the Doc from your side for pushing the profile to the device.


For completeness and proof for other future readers, I am sharing  apple technicle white paper link below.


http://training.apple.com/pdf/WP_8021X_Authentication.pdf



"In 802.1X authentication environments, it’s important to understand the

role certificates play in the trust chain. Client devices should be able to

verify server-side certificates, and those certificates must be trusted for EAP.

This trust is established by the user. The first time the user joins a device to

an 802.1X-protected network, the device will prompt the user to trust the

server’s certificate"

George Stefanick Thu, 02/06/2014 - 07:54
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Yup, good reference ..



__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

George Stefanick Thu, 02/06/2014 - 07:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I notice wndows 8 is doing the same as well.


__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

Correct Answer
George Stefanick Thu, 02/06/2014 - 07:54
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I have indeed.


Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.


Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12


You can also use a tool like Jamf for MACs to make and push profiles.


Hope this helps ..








__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

rakeshvelagala Thu, 02/06/2014 - 08:05
User Badges:

Hi George Stefanick,


Thanks for your reply it answers almost all my questions. Is it possible to do the same on ACS?

George Stefanick Thu, 02/06/2014 - 08:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Sorry, not sure I follow. What do you mean do the same on ACS? Push profiles? No .. You need ISE or another application.


__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

rakeshvelagala Thu, 02/06/2014 - 08:45
User Badges:

Hi George Stefanick,


Thanks! that is my question. Thanks for all your answers. You saved me a lot of trouble.

Actions

This Discussion