Solved: New Wireless clients certificate not verified

rakeshvelagala · ‎02-06-2014

Whenever a new clients login using SSID Green,using cisco WLC 4404, there is a prompt saying certificate is not valid. No doubt, clients can connect once they accept the certificate. Is there anyway I can remove this prompt? We have ACS doing authentication.The certificate is signed by authorized bodies? Please advice

Sandeep Choudhary · ‎02-06-2014

Is it happening with all client or only with Apple devices ??

Also chekc this: Configure your clients to not check the trust path of your RADIUS server's certificate (i.e., uncheck the box that says "validate server certificates").

Reagrds

View solution in original post

Scott Fella · ‎02-06-2014

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎02-06-2014

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

George Stefanick · ‎02-06-2014

I have indeed.

Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.

Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

You can also use a tool like Jamf for MACs to make and push profiles.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

rakeshvelagala · ‎02-06-2014

Do we need to import this cert to ACS or anything setting to be changed in WLC? Please advice

Sandeep Choudhary · ‎02-06-2014

Is it happening with all client or only with Apple devices ??

Also chekc this: Configure your clients to not check the trust path of your RADIUS server's certificate (i.e., uncheck the box that says "validate server certificates").

Reagrds

rakeshvelagala · ‎02-06-2014

Hi Sandeep,

Only with Apple devices. But our management do not want to have this prompt at all. Any advice?

Sandeep Choudhary · ‎02-06-2014

HI Ravindra,

I never worked with ACS

I also have the same issue but I think am facing this bug:

https://tools.cisco.com/bugsearch/bug/CSCua97013

Regards

Scott Fella · ‎02-06-2014

This is typical of Apple iPads and iPhones. Here is a good article in explaining how to install your root ca certificate on an iPad or iPhone. Don't worry that this isn't for wireless, because the process is the same.

http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

rakeshvelagala · ‎02-06-2014

Hi Scott,

Thanks for the reply. But is there any other way where this prompt will not even be seen on the apple devices? Any changes if we can do on ACS or WLC? Please advice.

Scott Fella · ‎02-06-2014

You can look at the trusted ca for the device

http://support.apple.com/kb/ht5012

Get a certificate from one of the vendors who's apple has the root ca in the trust list and install that on your ACS for 802.1x or if for guest WebAuth install it in the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

rakeshvelagala · ‎02-06-2014

Hi Sandeep & Scott,

Interesting when i check https://supportforums.cisco.com/thread/2210803

according to the apple document the first time we have to trust the cert for 802.1x.

Scott, can please advice if we have the cert from those come with IOS by default, do i need to trust it the first time?

George Stefanick · ‎02-06-2014

I spoke to my apple se about this very subject. The apple key chain that holds the certs isn't used for wifi. In fact apple requires a user to validate cert the first time, trusted CA or not. The cert, once trusted, is stored in the wireless profile. Blow away the profile, you blow away that WLAN cert and you have to trust it again.

Only way around the pop up, push a WLAN profile to the device with the cert ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

rakeshvelagala · ‎02-06-2014

Hi George Stefanick,

Thanks for your feedback. Just to check have you tried "push a WLAN profile to the device with the cert " and able to authenticate successfully without the pop up?

If yes, can you please kindly share the doc on how to push a profile to device?.

Thanks for your great help.

rakeshvelagala · ‎02-06-2014

Hi George Stefanick,

I am waiting for the Doc from your side for pushing the profile to the device.

For completeness and proof for other future readers, I am sharing apple technicle white paper link below.

http://training.apple.com/pdf/WP_8021X_Authentication.pdf

"In 802.1X authentication environments, it’s important to understand the

role certificates play in the trust chain. Client devices should be able to

verify server-side certificates, and those certificates must be trusted for EAP.

This trust is established by the user. The first time the user joins a device to

an 802.1X-protected network, the device will prompt the user to trust the

server’s certificate"

George Stefanick · ‎02-06-2014

Yup, good reference ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎02-06-2014

I notice wndows 8 is doing the same as well.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎02-06-2014

I have indeed.

Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.

Another way to make profiles and manually push is with the Apple Configurator.

https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

You can also use a tool like Jamf for MACs to make and push profiles.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________