EAP-TLS with Server 2008 SCEP for Apple Devices

This topic is to discuss the following lesson:

I’m getting stuck where the certificate gets installed on the iPhone. When I install the profile, I get “The SCEP server returned an invalid response”. There’s a couple of posts on Apple, etc to increase the query string for IIS, which I’ve done, but it didn’t help.

Solved. For those of you having the same issue. Step 1) Install Microsoft KB 2483564. Step 2) In the SCEP section of the iPhone configuration utility, in the “Subject” section, there’s a limitation of characters, for me, anything over 24 characters in that string failed.

Hi Chris,

Good thing you figured it out. Btw instead of using scep I think getting a certificate through the browser on a computer might be a better idea. It saves you the trouble of mapping a certificate at active directory.

Hi Rene, First I want to say I love what you do!! These tutorials are great and I used your CCNP SWITCH book to help pass that test.

I used your tutorial on how to setup a EAP_TLS WLAN using RADIUS backend and AD. It also has a cisco WLC. I am trying to get my iphones to work, and I have followed this tutorial, I can get it to work except for joining the network. Do you have any tips? I can see on the WLC that the user is not authenticating, but really unsure of what I am missing. Does the iphone pass domain info? Would it look at AD? Any info would be great.

Hi Cory,

I’m glad to hear you like my material!

First of all…the iphone and EAP-TLS is a pain, it took quite some time to get it working and to fully understand how it works. When you use SCEP like I did in this tutorial it will generate a “machine” certificate for your iphone but when the iphone authenticates itself it will ALWAYS present its certificate as a “user certificate”. As a result it will fail unless you manually map the certificate to the user account in the AD like I did in the “Map Client Certificate to User Account” section. Another issue is that SCEP enrollment through the iphone utility sometimes doesn’t work and it doesn’t always give you very useful error messages.

When I wrote this tutorial I really liked the idea of SCEP and automatically enrolling certificates to apple devices but in reality it’s a pain. There is a better method to do this, it’s basically the same as the Android devices in this tutorial where we don’t use SCEP:

  1. You use a Windows computer to request a user certificate from the CA. It will be installed on your computer.
  2. You can use this certificate on your Windows computer to authenticate to the wireless network, try if this is working...when it works, it proves that your certificate is OK and that EAP-TLS is configured correctly. When it doesn't work it will be a lot easier to troubleshoot because the windows event viewer gives you plenty of information.
  3. Use the iphone configuration utility to export the user certificate you just created on your iphone. You can even configure the wireless profile in the iphone configuration utility.
  4. That's it

Basically you use the same certificate from the computer on the iphone, saving you the trouble of using SCEP. SCEP doesn’t give you any advantage since it requires the mapping of the certificate to the user account in AD. You don’t have to do this with the method I described above.

Thanks so much for the fast reply. The method you described above works and is pretty easy.

Do you know any products or ways of automating the process? For example, here at this business we have say 100 ipads. I would love to avoid having to create a profile export every cert etc for everyone.

Thanks again!

I know there are products out there that can do this but I don’t have any experience with it yet.

Ok, thanks for that Rene, again love your work and all your tutorials are great!

Thanks! Let me know if you find anything, I’d love to try it.

Hi Rene,

Great posts you have here! I’m wondering if you have any advice for me for getting our iPads to work using certificate-based authentication, but without having to create an iPhone Configuration Utility profile for each device. I work for a school district, and several of our schools have purchased carts with iPads over the past couple of years, with more on the way. We’re talking probably over 1,000 iPads district-wide. Some of the carts have a MacBook Pro on them, and some don’t.

Right now, the iPads are configured to connect to a simple WPA2-PSK SSID. But if that password leaks out, we’d have to reconfigure a lot of devices… not a fun prospect. And, since the majority of our student iPads are shared, we don’t want to have the devices authenticate to our secure SSID and then have them remember the student’s username and password. Training teachers to have the students go in and “Forget” the network when they’re done is not a viable option. I would love to have a way for our site techs to configure their iPads for certificate-based authentication, but with a minimum amount of effort.

Our environment is a hybrid of Novell eDirectory and Microsoft AD. We have 3 DCs: One running 2003, and two running 2008 (not R2). I use NPS for RADIUS authentication on one of the 2008 DCs. That setup works great for machine authentication for Windows, and even MacOS 10.8. But the iPads remain a challenge. I’m trying to avoid having to create a domain account for each one (as some articles I’ve found suggest). If you have any thoughts, I’d be most grateful.

Thanks!

Would this work on MACs?

You can authenticate MACs with EAP-TLS and certificates but this tutorial that uses the Iphone configuration utility is just for the mobile devices.

Hi Bryce,

Sorry for the late reply. I know that there are solutions out there that will provision your Iphones / Ipads with certificates and profiles but I’ve never worked with them before.

There’s probably a lot of products like that out there. With the number of Ipads you have you’ll need something that does the auto-enrollment or it’s way too time-consuming. Like you said, using a pre-shared key is not a good idea…there’s no way to tell who has the key or not or when it has been leaked.

The problem with the Ipads / Iphones is that they always seem to send their certificate as a “user” certificate even when you enrolled a “machine” certificate through SCEP. That’s why the domain account is unavoidable when you do it this way (as far as I know). For smaller setups I skipped using SCEP and just used enrollment on a Windows machine to get a user certificate and install that on the Ipads / Iphones.

Let me know if you find anything that does the auto-provisioning, I’m curious to take a look at it :slight_smile:

Rene

Hello,

I used a Public CA (e.g. GoDaddy or Entrust) but the iPhone always says the certificates is not trusted even though it is in the Trusted Root store, is there any reason for this? does the iOS not use the Trusted Root store for Authentication?

Thanks,
Rob

Hi Rob,

Did you solve this yet? I’m not sure if iOS uses the trusted root store for this. You could try to import the certificate manually by using the iphone configuration utility. Does that make any difference?

Rene

How would one do this for a whole lab of IPADS?

Hi Aaron,

You can use the iphone configuration utility to quickly enroll Ipads but if you have a LOT of devices then I would suggest looking at a “MDM” solution. There are providers that have software so you can enroll profiles/certificates to a large amount of Apple devices.

Rene

Any suggestions. We already have SCCM 2012 R2 setup and running and I’ve looked at intune. Is there something better?

We are a School District so money is a real concern, As well as we probably have 120+ IPADS for student use.

Hi ,
For this user does not have to enter username and password ? .Just a certificate is enough