Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

New Wireless clients certificate not verified

Whenever a new clients login using SSID Green,using cisco WLC 4404, there is a prompt saying certificate is not valid. No doubt, clients can connect once they accept the certificate. Is there anyway I can remove this prompt? We have ACS doing authentication.The certificate is signed by authorized bodies? Please advice

4 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: New Wireless clients certificate not verified

Is it happening with all client or only with Apple devices ??

Also chekc this:  Configure your clients to not check the trust path of your RADIUS  server's certificate (i.e., uncheck the box that says "validate server  certificates").

Reagrds

Hall of Fame Super Silver

Re: New Wireless clients certificate not verified

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: New Wireless clients certificate not verified

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..





Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: New Wireless clients certificate not verified

I have indeed.

Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.

Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

You can also use a tool like Jamf for MACs to make and push profiles.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
17 REPLIES
New Member

New Wireless clients certificate not verified

Do we need to import this cert to ACS or anything setting to be changed in WLC? Please advice

VIP Purple

Re: New Wireless clients certificate not verified

Is it happening with all client or only with Apple devices ??

Also chekc this:  Configure your clients to not check the trust path of your RADIUS  server's certificate (i.e., uncheck the box that says "validate server  certificates").

Reagrds

New Member

Re: New Wireless clients certificate not verified

Hi Sandeep,

Only with Apple devices. But our management do not want to have this prompt at all. Any advice?

VIP Purple

Re: New Wireless clients certificate not verified

HI Ravindra,

I never worked with ACS

I also have the same issue but I think am facing this bug:

https://tools.cisco.com/bugsearch/bug/CSCua97013

Regards

Hall of Fame Super Silver

Re: New Wireless clients certificate not verified

This is typical of Apple iPads and iPhones. Here is a good article in explaining how to install your root ca certificate on an iPad or iPhone. Don't worry that this isn't for wireless, because the process is the same.

http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: New Wireless clients certificate not verified

Hi Scott,

Thanks for the reply. But is there any other way where this prompt will not even be seen on the apple devices? Any changes if we can do on ACS or WLC? Please advice.

Hall of Fame Super Silver

Re: New Wireless clients certificate not verified

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: New Wireless clients certificate not verified

Hi Sandeep & Scott,

Interesting when i check  https://supportforums.cisco.com/thread/2210803

according to the apple document the first time we have to trust the cert for 802.1x.


Scott, can please advice if we have the cert from those come with IOS by default, do i need to trust it the first time?

Re: New Wireless clients certificate not verified

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..





Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

New Wireless clients certificate not verified

Hi George Stefanick,

Thanks for your feedback. Just to check have you tried "push a WLAN profile to the device with the cert " and able to authenticate successfully without the pop up?

If yes, can you please kindly share the doc on how to push a profile to device?.

Thanks for your great help.

New Member

New Wireless clients certificate not verified

Hi George Stefanick,

I am waiting for the Doc from your side for pushing the profile to the device.

For completeness and proof for other future readers, I am sharing  apple technicle white paper link below.

http://training.apple.com/pdf/WP_8021X_Authentication.pdf

"In 802.1X authentication environments, it’s important to understand the

role certificates play in the trust chain. Client devices should be able to

verify server-side certificates, and those certificates must be trusted for EAP.

This trust is established by the user. The first time the user joins a device to

an 802.1X-protected network, the device will prompt the user to trust the

server’s certificate"

New Wireless clients certificate not verified

Yup, good reference ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

New Wireless clients certificate not verified

I notice wndows 8 is doing the same as well.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: New Wireless clients certificate not verified

I have indeed.

Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.

Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

You can also use a tool like Jamf for MACs to make and push profiles.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: New Wireless clients certificate not verified

Hi George Stefanick,

Thanks for your reply it answers almost all my questions. Is it possible to do the same on ACS?

New Wireless clients certificate not verified

Sorry, not sure I follow. What do you mean do the same on ACS? Push profiles? No .. You need ISE or another application.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

New Wireless clients certificate not verified

Hi George Stefanick,

Thanks! that is my question. Thanks for all your answers. You saved me a lot of trouble.

2462
Views
0
Helpful
17
Replies
CreatePlease to create content