EAP and iPhone

I have a BYOD setup that is working well except one thing that is enoying, I cant get iOS device's to trust the ISE server certificate.
Tested on 2 iPads and 2 iPhones.
When runing Wireshark from a Mac I can see the certificate chain in the TLS packet coming from ISE and my Mac is accepting this with out problem, same for a Win 8 test machine.
In this document under The Trust Chain, Apple writes:
'The first time the user joins a device to an 802.1X-protected network, the device will prompt the user to trust the server’s certificate'
Could it be that iOS devices ignore the cert. chain in a EAP packet?

The trusted CAs only come into effect when navigating to web portals. Because the user is actually initiated a browser session to a secure site where the url is entered.
With eap authentication this behavior is different. When a user sends their credentials the supplicant on the iphone automatically prompts the client to validate the radius server identity. It will also show you that the identity is trusted, but it will still prompt the user by informing them that their credentials are being forwarded to a specific radius server.
You can also verify this by using a windows machine, if you set the supplicant to "validate the server certificate" but leave the certificate entries unchecked, you will still be prompted to validate the radius server's identity.
Tarik Admani
Sent from Cisco Technical Support iPad App

Similar Messages

  • EAP-TLS wi-fi net for PC and iPhone

    Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
    We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers  and mobile devices (iPhones, Nokia Symbian, Android devices).
    The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
    I have 2 testing computers with wi-fi adapters: one is connected to the  domain (has a wire connection), another has a local account, and an  iPhone. I customized the settings on these computers,iphone, AP and ACS. 
    We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
    I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
    "EAP-TLS or PEAP authentication failed during SSL handshake".
    "EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
    Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
    So I think the reason is that only domain  devices are allowed to join the net. How can I change this thing?
    Another variant is that I issue the certificates first to wired domain computers and then export  them to non-connected to domain devices so they have inappropriate credentials.
    Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

    The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

  • How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

    Hi Team,
    We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?

    I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
    Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
    Hope this helps!
    Thank you for rating helpful posts! 

  • IMessage on iPad and iPhone Explained and De-Mystified

    Apple's much-anticipated iOS5 has a lot of cool features, one of which is the iMessage platform.  What I've discovered is a lot of confusion among the masses on how this platform works.  I, myself, have been confused on how to set this up so that I can maintain iMessage convos on both my iPad2 and iPhone.  Last night, I set out to figure this all out and post my findings here.  What I am about to outline has worked for me and I feel is the way Apple intended it to work.  For good or bad, I don't plan to discuss the merits of how Apple has designed this platform.  I am simply sharing what has worked for me. 
    In order for me to test my theories I used my iPad 2, iPhone 4S and my wife's iPad and iPhone 4.  This allowed me to test the iMessage platform as if I were messaging one of my contacts who I know had installed iOS5 but theoretically doesn't live under my roof, so to speak.  My example will center around my particular situation:  someone who has both an iPad (or other non-iPhone device) and an iPhone 4S (or 4 or 3GS) AND wants to keep iMessage convos in sync across all my devices.  After all, this is one of the main benefits of iMessage that Apple touts. 
    First and foremost, it is important to activate iMessage on all your iOS5 devices using the same Apple ID.  This will "link" all your iOS5 devices in the Apple ecosystem and keep convos you initiate in sync across your iOS5 devices.  Some of you may run into a situation like I did where our PRIMARY Apple ID is the one we use as a family to purchase music, apps, etc.  In the case of iMessage, every family member should have their own unique Apple ID (a secondary ID to your primary ID) to use on their own iOS5 devices.  This will keep all your iMessages separate and distinct from other family members' iMessage convos.  The next important setting, and the one that causes a lot of confusion, is the "Receive At" setting.  On your iPhone this is your cell phone number, by default.  You will also want to add an e-mail address as another "Receive At" location.  If you have an iPad or other non-iPhone iOS5 device, you will want to choose an e-mail address (on my devices my Apple ID is the same as my e-mail address I am using on the "Receive At" setting) as your "Receive At" setting.  The important thing to note is that if you have both an iPhone and iPad (or any other non-iPhone device) you will want to use the same e-mail address on both devices.  This will help keep your convos that others have initiated to you in sync across your iOS5 devices.  Finally, the Caller ID is the next setting to consider.  You have two options here:  (1) your cell number, or (2) the e-mail address you entered in the step above.  Your choice depends on how you want others to see your contact info and whether or not keeping convos in sync across your iOS5 devices is important.  My example below will illustrate this.
    Keeping messages in sync across my devices is important so I have provided my Apple ID that I used above to all my contacts who use iOS5 devices and I have asked them to use this to iMessage me.  This is the only way that an iMessage convo initiated by one of your contacts to you will stay in sync across all your iOS5 devices.  If they use your cell number, then the iMessage convo will only show up on your iPhone.  Even though the Apple ID you used to activate iMessage in the Apple ecosystem links your devices, a reply from your iPhone to an iMessage sent only to your cell phone will not "push" the reply to your non-iPhone device.  Long story short, give all your iOS5 contacts the e-mail address you entered above in the "Receive At" setting and all your convos will stay in sync.  This is very similar to the BlackBerry Messenger protocol and the PIN that BBM users need to provide other BBM users so they can message each other. 
    I commandeered my wife's iPad and iPhone and began sending iMessages back and forth between my and her devices.  Step 1, I sent an iMessage from my iPad 2 to her cell number.  Because I initiated the iMessage to my wife and my devices were both activated in the Apple ecosystem using my Apple ID, the convo appeared on both my iPad and iPhone but she received my iMessage on her iPhone but NOT her iPad.  This is because her iPad is connected to the iMessage platform through her "Receive At" email address; there is no "link" between her iPhone cell number and her iPad.  When she responded to my iMessage, the convo continued to appear only on her iPhone but appears on both my iPad 2 and iPhone.  Step 2, I sent her an iMessage to her "Receive At" email address and she received the message on both her devices.  As in the first scenario, the convo appears on both of my devices.  At this point, because I used her "Receive At" email address, the convo is in sync on both of her devices.  Here is an important tip:  when you type in a contact name on the "To:" line of an iMessage, their available iMessage "Receive At" email addresses and cell phone number will appear with a little blue balloon next to them.  The opposite of the above occurred when my wife initiated the iMessages to me as described in Step 1 and Step 2.
    In summary:
    First, make sure you activate iMessage on all your devices using your unique Apple ID.  This links your devices in the Apple iMessage ecosystem.  Second, choose a "Receive At" email address that you can provide to your contacts that use iOS5 so that convos that they initiate to you will be in sync across your iOS5 devices.  Lastly, I recommend setting your Caller ID to your "Receive At" email address.  This will prompt any users that don't have your "Receive At" email address to add it to their contacts.  It may go without saying, but if your iOS5 contacts have multiple iOS5 devices and they are interested in keeping their convos in sync across their devices they will have to provide you their "Receive At" email address as their preferred iMessage contact.
    Hope this helps.

    Thanks for this write up, it's very helpful and thorough!
    I have a couple questions, maybe you could clear them up.
    You write:
    "If you have an iPad or other non-iPhone iOS5 device, you will want to choose an e-mail address (on my devices my Apple ID is the same as my e-mail address I am using on the "Receive At" setting) as your "Receive At" setting."
    How important would you say this part I've bolded is?  For example, if my Apple ID is "Tooth" but my "Receive At" setting is "[email protected]," I'll still be able to sync the messages, correct?  The part that is tricky is with the iPhone, where your defaul "Receive At" setting will be the phone number, despite the iPhone also being registered with the same Apple ID.
    Next, you say:
    "Lastly, I recommend setting your Caller ID to your "Receive At" email address.  This will prompt any users that don't have your "Receive At" email address to add it to their contacts."
    What exactly do you mean by your Caller ID here?  Do you mean the contact card that I have for myself, in my contacts app?
    Thanks so much for posting this.

  • How do I change the icloud account on my iphone? I want to use the same account for all my apple devices (macbook air and imac and iphone). I can't see where I can amend the iphone account because it is in grey?

    I want to use the same account for all my apple devices (macbook air, imac and iphone). I can't see how I can amend the iphone account because it is in grey? I also can't remember the password for this account so i can't even delete it and start again?

    Deleting an iCloud account only deletes it from the Device, not from iCloud.  In iOS 8, the name of this setting changed to "Sign Out" as that is a better reflection of what actually happens.  Your iCloud data remains on the server, available to devices still signed into the account, but the device you sign out of the account on is disconnected from the account, and as a result, the iCloud data from that account is removed from the device.  It will redownload to the device should you sign back into the account.
    The only issue you'll run into when you switch between accounts is with my photo stream photos older than 30 days.  When you delete (or sign out of) and account, your photo stream photos are deleted along with the other data from the account in question.  However, unlike other data which remains on the server and can redownload to your device when you sign back in, my photo stream photos only remain in iCloud for 30 days.  When you sign back in, you will only get back my photo stream photos added in the last 30 days (as older photos are no longer in iCloud to redownload).  Like other account data, any my photo stream photos on your other devices signed into the account are unaffected by this.  If you want to keep older my photo stream photos on your device as you change iCloud accounts, save them to your camera roll before deleting (signing out of) the account.

  • Is there a way to create a password protected folder for pictures or lock the photos app? For Ipad Air and Iphone 5s.

    Is there a way to create a password protected folder for pictures or lock the photos app? I want to do this for Ipad air and Iphone 5s. I have other family members that use my Ipad and Iphone and do not want some pictures to be able to be viewed.

    Use 3rd party apps like Photo Manager Pro.

  • HT200196 iCal reminders are clogging up my computers, iPads and iPhone.  When I view the Calendar list in iCal, it seems it has added a new calendar every time an event is added.  I have a calendar list that has grown to over 100.  How do I remedy this?

    My laptop, iPad, and iPhone are being clogged by repeated iCal alerts.  Every time an event is added, it seems another Calendar is also added.  When I view the Calendar list in iCal, there are over 100...and the number is growing.  They can not be deleted with a simple "Select all" or "Delete All" and, when deleted individually, the list quickly grows to huge numbers again rapidly.  How do I keep this from happening and eliminate the excessive number of calendars?

    The warranty entitles you to complimentary phone support for the first 90 days of ownership.

  • I have an wireless printer and a new wifi router. I have set the printer and iPhone / iPad correctly to the new router but when i try to print it won't recognise the air printer. Help. All was working fine on my old router

    I Have a new wifi router and have set up my iPad / iPhone and wireless printer correctly  to the new router but I can't print from the iPad and iPhone. It keeps saying ' no AirPrint printer found'. Help please!

    Start with the most basic thing that you can try. Unplug the router from power for about 30 seconds, and restart the printer and the iPad and plug the router back into power.

  • My address book and iPhone pics have become low resolution.  Is there a way I can prevent this from happening when I start out with a higher resolution picture?

    I guess I squeezed my entire issue into the subject line.  lol   When I sync my iphone to my laptop I notice that all my address book pics and iphone pics have become lower resolution, even though I started out with the resolution that I really needed to produce decenty address book printouts.  I doubt I can correct the losses of resolution that have occurred but can anyone help me figure out how to prevent future losses?  Thank you!

    Plugins usually are installed externally to Firefox. However, you can disable them in Firefox so that Firefox does not use them.
    SearchReset is supposed to automate the task of resetting certain preferences, but you still can edit them manually if necessary.
    '''''Address Bar Search'''''
    (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful.
    (2) In the filter box, type or paste '''keyword''' and pause while the list is filtered
    (3) Right-click '''keyword.URL''' and choose Reset. This should restore Google as the default for address bar search.
    Does that work?
    '''''Search Box'''''
    Usually it works to choose your preferred search engine from the drop-down. To remove an unwanted search engine plugin, usually the Manage Search Engines... choice at the bottom of the drop-down takes care of it.
    Do either of those work?
    There might be another way to hijack that search box; I think some of the other frequent responders probably are more familiar with it than I am.

  • I updated my IPad 2 and IPhone 4S to IOS6 and now I am unable to use Music on my IPhone (All is well with the IPad2)

    After updating my IPad2 and IPhone 4s to IOS6 I can not use the Music function on the IPone to play songs.  The IPad 2 is okay.  Help!

    This is what I have discovered. If I purchase an app that I've never purchased before it does download to both devices. Seems to only work when a never before used app is downloaded. If I have previously downloaded an app before I began using iCloud to sync multiple devices the apps don't appear on all devices.

  • HT1277 I cannot send email from my mac but I can from my iPad and iphone

    Hi Guys,
    Suddenly I cannot send email from my Mac.  I can however receive emails.
    I can send emails with the same settings from my iPad and iPhone.
    Please help!!

    Your settings for the SMTP server — host name, port number, SSL/TLS or not, or login credentials — are likely incorrect.  Use the Connection Doctor tool (Mail.app > Window > Connection Doctor) to check what's going on with the connections (and to get some diagnostic messages), then review the diagnostics and the current settings with the requirements established for your particular mail provider.

  • We purchased a new iPad2 and registered it using a 'new' iCloud email/ID. We are unable to send email from the iPad and iPhone. The error is: Cannot send mail. The user name or password for iCloud is incorrect.

    We purchased a new iPad2 and registered it using a 'new' iCloud email/ID. We are unable to send email from the iPad and iPhone. The error is:>> Cannot send mail. The user name or password for iCloud is incorrect.

    About ~20 hours later, this ended up solving itself. We can send email using the '.icloud' email from both the iPad and iPhone.  Advise would be 'wait' before you start seeking alteranatives like yahoo, hotmail, etc.  This definitely is a convenient way to keep all your 'cloud' information in a centralized place, including the common email...

  • TS3899 Cannot send email with new iPad air.  Works fine with old iPad and iPhone.

    Cannot send email with new iPad air.  Works fine with old iPad and iPhone.  I have deleted account and reinstalled.

    Thanks.  I got the problem fixed.  Spent time with the Apple folks and was kicked up to a senior advisor.  It seems the problem was with my internet provider - Tmie Warner.  Remember I could use the old ipad and the iphone to send mail.  I checked all the specifics between the three units.  It seems that TW is changing over from the RR.com  to TWC.com.  Since the new ipad air was just set up, it fell under the new TWC mail specifics. 

  • I can send emails on my ipad and iphone but not on my iMac. I can receive them okay.

    I am using a @virgin.net email and cannot send emails from my iMac. I can recieve them and have no problem sending them on my ipad and iphone. Why?

    It sounds to me like you need to go into Mail, then Preferences, and check your outgoing mail settings for this mail account.  If you're not sure what they need to be, you can probably get most (if not all) of the information you need off of your iPad or iPhone.
    I've seen it happen where the settings are correct and things still didn't work.  In that case, usually reentering everything in the Mail settings resolves the issue.

  • When I try to send email from my iPad and iphone it says that I have the incorrect username and/or password, but I know they are correct, can someone help me?

    When I try to send email from my iPad and iPhone it says that I have the wrong username and/or password, but I know they are correct.  Can someone help me?

    "Your email account" means to tap on the name of your email account. Whatever it is listed as in the settings.
    In my mail settings, one of my email accounts is a Comcast account. I tap on the Comcast name and it brings up this window.
    Then I tap on the arrow under the Outgoing mail server smtp setting to get to the next window.
    In the resulting window, I then tap on the arrow next to the smtp server under the Primary Server setting.
    That brings up this window in which I check to make sure that my user name and password have been entered correctly. If those items are missing, enter them in the appropriate fields and then tap done.

Maybe you are looking for

  • FBL5N - Open Item at key date

    Hi All For transcation FBL5N, for Open Item at key date, field name ALLGSTID which is a structure component, I want to know where actually the field value is stored, in which table. Regards AJ

  • DMS content server error

    Hello SAP Experts! I have following error when exeuting test program for checking content server RSCMST: HTTP error: 500 Internal Server Error It is appearing continuosly every day. Only solution I have found now is restaring Server when DMS is insta

  • Material master/Output type IDOC /MATMAS

    Hello , I want to generate Idoc(MATMAS) whenever a material is created or changed. I could do the same for ME21N/ME22N for PO with PO idoc. Would like to know whether there is output types for material master or anything else so that i can generate I

  • Security update for Adobe (APSB11-02 & APSB11-03)

    Adobe released update version for Adobe reader & Flash player on Feb 8. However, these updates does not show up on my ZCM console. Is this normal ??

  • Urgent: frm-40508 error

    Hi I cannot commit to the database using the form I am working on. I have tried commiting using the SQL prompt and it works fine. The tablenames I am using in the form are dynamic, I am wondering if this could be the problem? Is there a certain way o