Issues Connecting to 802.1x Wi-Fi

Question

Level 1

5 points

Issues Connecting to 802.1x Wi-Fi

Hi All,

We are having issues connecting to 802.1x wi-fi lately. The user clicks to connect, is presented with the RADIUS servers certificate, the user clicks to trust the certificate, and then they get "unable to connect". Trying again brings up the certificate again to be trusted. It is almost as if Apple changed something so that now it will not allow the cert we are using to be trusted. The certificate for the CA for the RADIUS server's cert is on the iPad. Anyone else seeing this?

Posted on Oct 27, 2022 01:41 PM

Reply

Answer 1

Oct 27, 2022 01:46 PM in response to lisafromaway

Verify the certificate is valid. Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support

Make sure any necessary intermediate certificates are included.

Add and trust the certificate using a profile via MDM (MDM app, Apple Configurator 2 or otherwise), and try again.

Reply

Answer 2

Oct 27, 2022 02:56 PM in response to lisafromaway

lisafromaway wrote:

Certificate has been working fine...it would have presented issue way before now since that release was for 2019...it was working until recently.

Certificates can expire, allowed certificate lifetimes can be shortened, certificates can be revoked, you will want to verify.

Too many don’t have a good handle on their populations of certificates and associated expirations, among other wrinkles.

Reply

Answer 3

Oct 27, 2022 03:45 PM in response to lisafromaway

Is that the entire chain, or is there a root certificate and intermediates?

Loaded the cert via profile?

Or easier, get rid of the certificate entirely, as (given the way it’s being used) it’s serving no useful purpose here.

Reply

Answer 4

Oct 28, 2022 05:22 PM in response to lisafromaway

lisafromaway wrote:

The certificate is necessary to validate the RADIUS server identity to the device. Not sure why you think it can just be removed.

Consider what loading a certificate over an untrusted network link means, both for any hostile intermediate “provider” of some certificate (whether rogue AP or otherwise), and consider the general issues training users around loading and trusting “random” certificates. Or load the certificate through a trusted path. Or acquire a trusted certificate, of course.

Reply

Answer 5

Oct 28, 2022 06:24 PM in response to lisafromaway

If the certificate profile is already loaded and already trusted, why is the user even encountering anything related to trusting the certificate? Investigate that.

If the certificate is loaded and trusted, then it's missing an intermediate or has some other error, or the RADIUS server is serving the wrong or a stale certificate. Investigate that, too.

If the certificate is being loaded from the RADIUS server, that would cause this, and having a certificate loaded and trusted over an open link is somewhere between less than optimal and pointless, and there's little reason to bother even having the certificate—other than maintaining pretend-security, of course.

Reply