You fire up your iPad and connect to your EAP secured wireless network and you are presented with the screen "Validate Certificate" !
My radius certificate is signed by a reputable CA. Why am I getting this popup ?
CEOs, managers and users are getting presented with the popup and questioning IT and asking WHY. I did some investigation. I needed to confirm the certificate store on the device. Apple published this information in the below link. It is a rather extensive CA list.
http://support.apple.com/kb/ht5012
Brief Caption:
iOS 5 and iOS 6: List of available trusted root certificates
Summary
These trusted root certificates are preinstalled with iOS 5 and iOS 6. When IT administrators create Configuration Profiles for iPhone, iPad, or iPod touch using the iPhone Configuration Utility, these certificates do not need to be included.
Products Affected
iPad, iPhone, iPod touch
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA Validity Not Before: Dec 27 05:08:15 2003 GMT Not After : Dec 26 14:59:59 2013 GMT Subject: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA Certificate: Data: Version: 3 (0x2) Serial Number: 946059622 (0x3863b966) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) Validity Not Before: Dec 24 17:50:51 1999 GMT Not After : Dec 24 18:20:51 2019 GMT Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) Certificate: Data: Version: 3 (0x2) Serial Number: 57923 (0xe243) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AT, O=x00Ax00-x00Tx00rx00ux00sx00tx00 x00Gx00ex00sx00.x00 x00fx00xFCx00rx00 x00Sx00ix00cx00hx00ex00rx00hx00ex00ix00tx00sx00sx00yx00sx00tx00ex00mx00ex00 x00ix00mx00 x00ex00lx00ex00kx00tx00rx00.x00 x00Dx00ax00tx00ex00nx00vx00ex00rx00kx00e x00hx00rx00 x00Gx00mx00bx00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01 Validity Not Before: Nov 30 23:00:00 2004 GMT Not After : Nov 30 23:00:00 2014 GMT Subject: C=AT, O=x00Ax00-x00Tx00rx00ux00sx00tx00 x00Gx00ex00sx00.x00 x00fx00xFCx00rx00 x00Sx00ix00cx00hx00ex00rx00hx00ex00ix00tx00sx00sx00yx00sx00tx00ex00mx00ex00 x00ix00mx00 x00ex00lx00ex00kx00tx00rx00.x00 x00Dx00ax00tx00ex00nx00vx00ex00rx00kx00e x00hx00rx00 x00Gx00mx00bx00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01 Certificate: Data: Version: 3 (0x2) Serial Number: 57928 (0xe248) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02 Validity Not Before: Dec 2 23:00:00 2004 GMT Not After : Dec 2 23:00:00 2014 GMT Subject: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02 Certificate: |
I reached out to a number of colleagues in the industry and all reported the same issue. One colleague in particular, Cesar directed me to another Apple link that clarified my understanding of the issue.
http://support.apple.com/kb/HT1978
Brief Caption:
iOS: Install profiles with CA Certificates to simplify enterprise Wi-Fi connection process
Summary
For a number of enterprise Wi-Fi connection types, IT administrators will deploy profiles they create with iPhone Configuration Utility to automate and/or restrict user Wi-Fi connections. Including the CA Certificate for these connections will remove the users' need to verify that they trust the Certificate(s) provided each time they reconnect to Wi-Fi. CA Certificates and Trust settings can be provided within configuration profiles.
Clearly an Apple issue. It would appear Apple requires you to validate each EAP certificate. For example, if you have 5 radius servers in your enterprise. You will be asked to validate all 5 certificates at some point as your client roams the enterprise.
There is a work around to this issue. As mentioned in the Apple release. You can configure wireless profiles and include the EAP certificate in the profile. By doing so the user will not be presented with the certificate popup when connecting.
Note: My MAC behaves the same way as well
What has been your experience ? Your feedback is appreciated !