locked
2008R2 - NPS/CA - 802.11x - iOS Devices RRS feed

  • Question

  • My workplace wants to implement iPads but we do not wish to implement PEAP using MS-CHAPV2 for these particular users as that would then enable them to bring other devices in . So we want to use TLS with them.

     

    I have configured my CA server with SCEP and that works fine, the iOS can generate a certificate but when i try to authenticate using TLS i get a rejected message from NPS.

    the the logs it has the FQ User Name as DOMAIN\TsukiHime, Tsukihime was the common name that i gave the certificate. and the Terminate Cuase i get returned is NO_SUCH_USER.

    Now i don't want to authenticate as a user i want to authenticate as a device, i know when i look at a windows 7 computer whom authenticates as a computer it has HOST\COMPUTERNAME$ as the FQ User Name..

     

    So i have a few questions, in my SCEP policy what should i be putting in as the CN of the certificate, can i use any value that i deem fit or should i be tying the certificate to a user.

    My Network Policy that i am using to Authenticate for TLS is a follows

    Conditions

    • NAS Port Type = Ethernet OR Wireless - 802.11 or Wireless Other

    Settings

    • Extensible Authentication Protocol Method = Microsoft: Smart Card or other Certrificate
    • Authentication Method = EAP
    • Framed-Protocol = PPP
    • Access Permission = TRUE

    Now my windows 7 machine can connect using this policy i just can not get an iOS device to. I have tried using TLS and PEAP settings and nothing works.

    Any advice in how to get this up and running would be much appreciated as i can find little on the subject.. Ah why can't they just stick with windows machines... At least it works..

    Monday, August 29, 2011 6:06 AM

Answers

  • Further Update:

     

    I went through the SCEP Guide and correct a few issues that i have, I can get a certrifificate to the client, at present i am using a Subject of O=knox,OU=iOS,CN=TsukiYomi, this is a activie directory path to an actual computer in AD. (Not attached to any physical computer)

     

    It attempts authentications but IAS rejects the connection under the correct policy (So at least i go a few things right) with reason of "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    This says to me that the iOS device is authenticating as a user and not as a computer or device like it should.

    Any suggestions on where to go now..

    Tuesday, August 30, 2011 6:29 AM

All replies

  • Further Update:

     

    I went through the SCEP Guide and correct a few issues that i have, I can get a certrifificate to the client, at present i am using a Subject of O=knox,OU=iOS,CN=TsukiYomi, this is a activie directory path to an actual computer in AD. (Not attached to any physical computer)

     

    It attempts authentications but IAS rejects the connection under the correct policy (So at least i go a few things right) with reason of "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

    This says to me that the iOS device is authenticating as a user and not as a computer or device like it should.

    Any suggestions on where to go now..

    Tuesday, August 30, 2011 6:29 AM
  • Well after a brain dead two days and total dead day i have finally figured it out..

    The SCEP policy in the IPhone Config Tool requires to have a Subject Alternate Name, with a NT Prinicipal Name attached to it.

    This means that for every machine that is connected via SCEP we need to create a computer in AD to represent the machine.. That works for me.. It means that i can control what goes on..

    Excellent..

    At least now i know that i was not going insane it just seems that everyone else who has figured this out has not bothered to tell anyone else..

    Oh well at least i know SCEP, Radius and CA a lot better now.. Learning Experinces..

    Thursday, September 1, 2011 2:29 AM
  • The SCEP policy in the IPhone Config Tool requires to have a Subject Alternate Name, with a NT Prinicipal Name attached to it.

    Can you give an example of what you needed to input into the SAN field? Was it just "COMPUTERNAME"?  Or "DOMAIN\COMPUTERNAME" or "COMPUTERNAME$"?

    What did you specify in the Subject as well?  Did you have a $ in the name?

    Also, did you need to set the CA to allow the SAN in the request as suggested in this article?

     

       http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

     

    Tuesday, October 11, 2011 6:46 PM