Hi Cory,
I’m glad to hear you like my material!
First of all…the iphone and EAP-TLS is a pain, it took quite some time to get it working and to fully understand how it works. When you use SCEP like I did in this tutorial it will generate a “machine” certificate for your iphone but when the iphone authenticates itself it will ALWAYS present its certificate as a “user certificate”. As a result it will fail unless you manually map the certificate to the user account in the AD like I did in the “Map Client Certificate to User Account” section. Another issue is that SCEP enrollment through the iphone utility sometimes doesn’t work and it doesn’t always give you very useful error messages.
When I wrote this tutorial I really liked the idea of SCEP and automatically enrolling certificates to apple devices but in reality it’s a pain. There is a better method to do this, it’s basically the same as the Android devices in this tutorial where we don’t use SCEP:
- You use a Windows computer to request a user certificate from the CA. It will be installed on your computer.
- You can use this certificate on your Windows computer to authenticate to the wireless network, try if this is working...when it works, it proves that your certificate is OK and that EAP-TLS is configured correctly. When it doesn't work it will be a lot easier to troubleshoot because the windows event viewer gives you plenty of information.
- Use the iphone configuration utility to export the user certificate you just created on your iphone. You can even configure the wireless profile in the iphone configuration utility.
- That's it
Basically you use the same certificate from the computer on the iphone, saving you the trouble of using SCEP. SCEP doesn’t give you any advantage since it requires the mapping of the certificate to the user account in AD. You don’t have to do this with the method I described above.