Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WiFi Encryption 802.1X with custom RADIUS (Windows Server 2016 RADIUS NPS): Warning on mobile device

pbruder
New here
‎Mar 10 2019 11:25 PM
‎Mar 10 2019 11:25 PM

WiFi Encryption 802.1X with custom RADIUS (Windows Server 2016 RADIUS NPS): Warning on mobile device

Hello,

we have setup Wifi Encryption 802.1X with custom RADIUS (Windows Server 2016 RADIUS NPS) with your instruction:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

We have the following isse:

Warning on mobile devices (iOS): untrustworthy connection (text in red color)


The certificate must be trusted manually to connect the mobile device to the Wifi ssid.


Beacuse of that warning we have bought a trusted certificate.

 

Please tell me asap in which way this warning "untrustworthy connection" can be solved. Does anyone have the same scenario and issue?

 

Thank you!

 

Regards

P. Bruder

0 Kudos
Subscribe
6 Replies 6
BrechtSchamp
Kind of a big deal
‎Mar 11 2019 12:02 AM
‎Mar 11 2019 12:02 AM

Were you succesful in the installing of your bought certificate in NPS?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...

 

And selecting it during step 8 of the NPS policy validation?

"8. Click Configure to review the Edit Protected EAP Properties. The server certificate should be in the Certificate issued drop down. "

0 Kudos
Subscribe
In response to BrechtSchamp
pbruder
New here
‎Mar 11 2019 12:25 AM
‎Mar 11 2019 12:25 AM

Yes, the bought certificate is successfully installed on the Windows Server 2016 and the setup in NPS Policy is done also.
We have also checked these settings with service provider for these new WLAN solution and found no error in configuration.

 

On Windows 10 Notebooks these new bought certificate does work fine. These Notebooks are not in Domain and the authentification to the WLAN is done by Domaincredentials.
Without the bought certificate these client had not connection to the WLAN.

 

Do you have more tips?

0 Kudos
Subscribe
In response to pbruder
BrechtSchamp
Kind of a big deal
‎Mar 11 2019 1:09 AM
‎Mar 11 2019 1:09 AM

I've been reading up about it a bit and it seems like the default behavior of iOS is to not validate it through the (trusted) root CA. So the users will manually have to accept the certificate the first time they connect. The recommendation given in most things I read is to use your MDM solution or apple configurator to push the certificates so they don't have to manually trust the certificate.

 

2019-03-11 09_02_49-Enterprise Best Practices for iOS devices and Mac computers on Cisco Wireless LA.png

Source:

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/8-6/Enterprise_Best_Practice...

0 Kudos
Subscribe
In response to BrechtSchamp
Nick
Head in the Cloud
‎Mar 11 2019 2:36 AM
‎Mar 11 2019 2:36 AM

We have this issue when using RADIUS through Windows Servers or macOS servers. 

 

Devices pop up saying the certificate is untrusted even when the chain it presents is trusted

0 Kudos
Subscribe
In response to BrechtSchamp
pbruder
New here
‎Mar 11 2019 3:24 AM
‎Mar 11 2019 3:24 AM

That means user has to acept a untrusted connection, because these are private iOS device not all from our company?

Because of that these devices are not manageable via MDM or other tools.


Wifi Connection Not Trusted.png

 

 

0 Kudos
Subscribe
In response to pbruder
Nick
Head in the Cloud
‎Mar 11 2019 3:33 AM
‎Mar 11 2019 3:33 AM

As of yet we've not been able to work our way round this - we've not extensively tried to be fair. But we have legitimate certificates and they are installed correctly and show as trusted

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.