MassimoGatta
Contributor
Contributor

CA Certificate for Wifi access

Hi,
I need to deploy a cert to all our samsung devices to join a wifi network.

I configured the integration between the CA and Airwatch and the request templates. It shoul be ok, as the test connection said.

After that, i made a profile with ' credentials '  and Wifi, as the attached pics.

the profile deploys well but the authentication with the SSID is unsuccessful.
After the deploy i got a message on the device that shows the certificates on the device.
The domain's user is in a correct AD group

NB: I don't use a root certificate, should I ?

thanks in advance,

Massimo


5-cert3 edited.jpg
4-cert2.JPG
Labels (1)
34 Replies
J4yJ4y
Enthusiast
Enthusiast

I have not seen EAP-TLS deployment on Android devices that does not require end user interaction on the device to do the finishing touch like selecting the EAP-TLS protocol, select the client certificate and enter the identity.
Although all is configured in the AW device profile.
Same here on a Samsung S4 mini 4.4.2.
Even worse on Sony Xperia 5.1.1., cert installed on device (message ' network may be monitored'  in taskbar), cert can not  be selected in wifi setting.

On iOS (iPad 2 , iOS 9.3.1) EAP-TLS device profile  installs seamlessly, user only has to select the SSID, no input of parameters required at all by the end user. And the client certificate does what it is supposed to do, enable acces for the device to the network.

Context: AW 8.3.2.5 with Windos 2012 R2 RADIUS, ADCS and AD server.
RADIUS configured for certificate athentication.

What message do you get on the device?
0 Kudos
MichaelWeisberg
Contributor
Contributor

Johan - this was fixed for samsung safe 2+ devices as of the agent v6.  It should now configure the wifi properly to use the cert based authentication.
0 Kudos
fredsnowtmna
Contributor
Contributor

Hey Massimo.  If you're still having an issue with this, let me know.  I resolved a very similar issue with our Android vs. Radius Wi-Fi profile last year.  It's kind of complicated, but if you're still stuck, I'm happy to help.
0 Kudos
MassimoGatta
Contributor
Contributor

Hi Fred,

too bad to say but i'm still stuck. At this point we got as a hint that we need to change out infrastructure and deloy an AWCM, even if this isn't a requirement. Otherwise this should be a certificate issue, but the template was revisioned at least twice by the AW support.
So yes, i'll be very happy if you can heelp me
0 Kudos
AmigoDeluxe
Contributor
Contributor

Hey Massimo. Did you find out if you need the root cert as well?
0 Kudos
fredsnowtmna
Contributor
Contributor

Massimo, not sure why I missed your response back in January, but Konstantinos replying just made it pop into my Inbox.  Ok, so here is the trick that we did to get this to work in our Android vs. Radius/ISE environment.   Do NOT upload your corporate Root, or Intermediate cert, as part of the credentials payload.  Only include the User Identity cert template that is issued by the CA.  Then, designate that certificate (Certificate #1) as the ' Identity'  AND the ' Root Certificate'  both.  I know, it doesn't make sense, but it's what worked for us.  Also, put a dummy password in the Password field (it's a quirk of getting cert-based profiles to install properly on Android).    ...Once the profile installs, it will try with the dummy password > Fail > Look for a cert.   I worked on this for more than a year before I got it to work.  I hope it helps get you up and running too.
0 Kudos
anonymousmigrat
Enthusiast
Enthusiast

Fred - so under the Credentials payload, are your options like this?
Credential Source: Defined Certificate Authority
Certificate Authority: [Company CA]
Certificate Template: [The template you created]

And then under Wi-Fi, did you have anything for:
Identity: ?
Password: [dummy password]
Identity Certificate: Certificate #1
Root Certificate: Certificate #1

We are trying to get EAP-TLS working with cert auth on Android too and running into auth issues
0 Kudos
jamiepeers
Contributor
Contributor

Hi,

Is there any more info on this in relation to what needs to be added for the Wi-Fi payload?
0 Kudos
anonymousmigrat
Enthusiast
Enthusiast

I've found that by removing the field for Root Certificate to None, I was able to get my devices connected to the WiFi network. For Android, the Identity field is the {DeviceSerialNumber}
I also had to add a computer object to AD. I'm not sure why as of yet, and I want to prevent having to do to this. Still investigating.
0 Kudos
SimoneStefanett
Contributor
Contributor

I deployed wifi cert based profiles for more than 10 customers during my airwatch activity and what I can say is that I had to use a different configuration for each customer.
Usually the issue have to be investigated on the wifi authenticator (usually a radius solution)....
I can also say that using a device-based authentication could be tricky in the mobile world: switching to a user-based authentication for this purpose could simplify the delivery of the solutions; using a device-based authentication mechanism could require also interaction at AD side as Luke said...

0 Kudos
MassimoGatta
Contributor
Contributor

Hi all, i'm back there... we just upload to 9.1.4, after the upgrade we tried to setup the CA integration to access the Corporete WiFi but the profile doesn't install on the device.
We get on Airwatch this error: ' Error while impersonating administrative user airwatch-ldap: The user name or password is incorrect' .

We already followed the airwatch guides and had many webex
0 Kudos
StefanKarlssonS
Contributor
Contributor

Massimo, having the same issue after upgrade to 9.2, have you managed to find a solution?
0 Kudos
davisjj
Contributor
Contributor

Having same issue on 9.0.3, does anyone have a fix for the ' Error while impersonating administrative user'  error?  We even installed a subordinate CA on the AirWatch server itself. 
0 Kudos
MassimoGatta
Contributor
Contributor

No certain solution yet. As today with Aw 9.2.3 and ISE sometimes it works and sometimes not. I tried to swap between users and devices, but I can't find any constant. I tried to enroll the same device with the same user on the same profile, sometimes it works and sometimes not.

Do you have any ideas or similar experience?
0 Kudos
WesleyTownsend
Contributor
Contributor

I know this is a dead thread, but we are setting up ISE with AW and found that android doesn't seem to want to accept the pre-configured settings. Anyone found a solution?
0 Kudos
CTRIM
Contributor
Contributor

I would love to know too Wesley.
0 Kudos
Gattula
Contributor
Contributor

Hi Wesley, what kind of pre-configured settings do you mean? We use Cisco ISE only as NAC, so we send to devices only profile and certificate. If you spoke about Cisco Network Assistant configuration, to allow this the app have to be compatible with some android framework to get external configuration.
0 Kudos
WesleyTownsend
Contributor
Contributor

Hey Massimo, do you have your own CA that handles your certs for you?
0 Kudos
MassimoGatta
Contributor
Contributor

Hi Wesley, yes, we have an internal CA (Microsoft). We have our CA integrated with Airwatch that act as a proxy from the devices to it, so, when we enroll a device, a single profile deliver the user certificate and SSID configuration.
0 Kudos