02-06-2014 12:47 AM - edited 07-05-2021 12:06 AM
Whenever a new clients login using SSID Green,using cisco WLC 4404, there is a prompt saying certificate is not valid. No doubt, clients can connect once they accept the certificate. Is there anyway I can remove this prompt? We have ACS doing authentication.The certificate is signed by authorized bodies? Please advice
Solved! Go to Solution.
02-06-2014 12:57 AM
Is it happening with all client or only with Apple devices ??
Also chekc this: Configure your clients to not check the trust path of your RADIUS server's certificate (i.e., uncheck the box that says "validate server certificates").
Reagrds
02-06-2014 01:28 AM
You can look at the trusted ca for the device
http://support.apple.com/kb/ht5012
Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.
Sent from Cisco Technical Support iPhone App
02-06-2014 05:29 AM
I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.
Only way around the pop up, push a WLAN profile to the device with the cert ..
Sent from Cisco Technical Support iPad App
02-06-2014 07:54 AM
I have indeed.
Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.
Another way to make profiles and manually push is with the Apple Configurator.
https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12
You can also use a tool like Jamf for MACs to make and push profiles.
Hope this helps ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
02-06-2014 12:48 AM
Do we need to import this cert to ACS or anything setting to be changed in WLC? Please advice
02-06-2014 12:57 AM
Is it happening with all client or only with Apple devices ??
Also chekc this: Configure your clients to not check the trust path of your RADIUS server's certificate (i.e., uncheck the box that says "validate server certificates").
Reagrds
02-06-2014 01:05 AM
Hi Sandeep,
Only with Apple devices. But our management do not want to have this prompt at all. Any advice?
02-06-2014 01:30 AM
HI Ravindra,
I never worked with ACS
I also have the same issue but I think am facing this bug:
https://tools.cisco.com/bugsearch/bug/CSCua97013
Regards
02-06-2014 01:17 AM
This is typical of Apple iPads and iPhones. Here is a good article in explaining how to install your root ca certificate on an iPad or iPhone. Don't worry that this isn't for wireless, because the process is the same.
http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/
Sent from Cisco Technical Support iPhone App
02-06-2014 01:21 AM
Hi Scott,
Thanks for the reply. But is there any other way where this prompt will not even be seen on the apple devices? Any changes if we can do on ACS or WLC? Please advice.
02-06-2014 01:28 AM
You can look at the trusted ca for the device
http://support.apple.com/kb/ht5012
Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.
Sent from Cisco Technical Support iPhone App
02-06-2014 01:42 AM
Hi Sandeep & Scott,
Interesting when i check https://supportforums.cisco.com/thread/2210803
according to the apple document the first time we have to trust the cert for 802.1x.
Scott, can please advice if we have the cert from those come with IOS by default, do i need to trust it the first time?
02-06-2014 05:29 AM
I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.
Only way around the pop up, push a WLAN profile to the device with the cert ..
Sent from Cisco Technical Support iPad App
02-06-2014 07:47 AM
Hi George Stefanick,
Thanks for your feedback. Just to check have you tried "push a WLAN profile to the device with the cert " and able to authenticate successfully without the pop up?
If yes, can you please kindly share the doc on how to push a profile to device?.
Thanks for your great help.
02-06-2014 07:53 AM
Hi George Stefanick,
I am waiting for the Doc from your side for pushing the profile to the device.
For completeness and proof for other future readers, I am sharing apple technicle white paper link below.
http://training.apple.com/pdf/WP_8021X_Authentication.pdf
"In 802.1X authentication environments, it’s important to understand the
role certificates play in the trust chain. Client devices should be able to
verify server-side certificates, and those certificates must be trusted for EAP.
This trust is established by the user. The first time the user joins a device to
an 802.1X-protected network, the device will prompt the user to trust the
server’s certificate"
02-06-2014 07:54 AM
Yup, good reference ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
02-06-2014 07:55 AM
I notice wndows 8 is doing the same as well.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
02-06-2014 07:54 AM
I have indeed.
Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.
Another way to make profiles and manually push is with the Apple Configurator.
https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12
You can also use a tool like Jamf for MACs to make and push profiles.
Hope this helps ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: