VMware Workspace ONE Community
MassimoGatta
Contributor
Contributor
‎05-04-2016 07:49 AM

CA Certificate for Wifi access

Hi,
I need to deploy a cert to all our samsung devices to join a wifi network.

I configured the integration between the CA and Airwatch and the request templates. It shoul be ok, as the test connection said.

After that, i made a profile with ' credentials '  and Wifi, as the attached pics.

the profile deploys well but the authentication with the SSID is unsuccessful.
After the deploy i got a message on the device that shows the certificates on the device.
The domain's user is in a correct AD group

NB: I don't use a root certificate, should I ?

thanks in advance,

Massimo


5-cert3 edited.jpg
4-cert2.JPG
Labels (1)
Labels
35 Replies
Ramkumara11
Enthusiast
Enthusiast
‎07-19-2018 09:51 AM

Hi Fred.S.
What shud the field Identity point to?
IS it {emailusername} or {emailaddress}
0 Kudos
KenSmithKenSmi1
Enthusiast
Enthusiast
‎08-31-2018 05:20 AM

So far I have tried all of the suggestions in this thread and some that are not listed. I'm at a loss and plan to take the three day weekend to clear my mind of this subject. Hopefully a hero will step forward and provide a suggestion that I can make work in my AW 9.6 SaaS environment using Symantec PKI. No issues with Apple products but Android has me stumped.
0 Kudos
PeterSisk
Contributor
Contributor
‎08-31-2018 02:52 PM

We have the exact same issue and currently have a support request open with Airwatch.
I'll update this if we get a solution.
0 Kudos
MassimoGatta
Contributor
Contributor
‎09-03-2018 03:34 AM

lately I had (again) tickets with the vendors that took place in this, Aw and Cisco for the NAC. We made several tests and log capture. We saw that some devices simply didn't ' send'  the certificate when speaking witth the NAC also if it is correctly installed on the device and it is used for other things.
Probably next step would be to speak with the devices vendor.
The strange part of this is that same model had different behavior and also the same devices, if wiped and re-installed may change in it.
0 Kudos
ChristianMarkel
Contributor
Contributor
‎10-23-2018 05:33 AM

Turns out this is an old post, if you still need help just reply in this thread and i can probably help you.
The first step is getting the Phones to trust your Radius server (Server identity). Both trust and CN = DNS name
Secondly you need to establish your client identity (Client certificate). If using windows NPS you MUST have UPN as SAN.
0 Kudos
chengtmskcc
Expert
Expert
‎01-22-2019 07:33 AM

Anyone here integrate AirWatch with Cisco ISE successfully?
0 Kudos
JesseIUH
Contributor
Contributor
‎07-25-2019 12:31 PM

Christian,
What did you do to get the devices to trust the radius server?
0 Kudos
BrandonOKC
Enthusiast
Enthusiast
‎09-02-2019 08:00 PM

Jesse,
      Check with your Network Engineer on the Radius side. My engineer added a rule in the ACS to allow variable to look for DN/SAN of cert to contain XXXX-XXXXX in order to allow radius to pass the connection on past associate and then on to authentication. I have our public signed root CA for ACS RADIUS server included in the Android creds profile along with the Device Assigned cert that is generated during enrollment and includes a unique name in DN/SAN name XXXX-“SerialNumber”. So each device has a unique cert issued. I still have to change one setting on the device for auto connect to work. I switch the root cert to “NONE” after that authentication is good.

I haven’t tried what someone else mentioned earlier about not pushing Root CA. That somewhat makes sense because then you don’t have a cert installed for WiFi that device recognizes. Going to try that out and see what happens.

Hope this helps you get your devices working with device cert authentication.
0 Kudos
RickChau
Contributor
Contributor
‎10-24-2019 10:05 AM

Hi All,
We're also having issues with Android trusting the server cert. We've tried pushing the profile with and without a Root CA and setting Root cert in the WiFi payload to identity cert, NONE, and Root CA cert. Our Network Engineers can see the handshake fail because the client (Androids) is not trusting the CA.

Thanks in advance
0 Kudos
DmitryKurdenkov
Enthusiast
Enthusiast
‎02-20-2020 10:56 PM

Hi, Ramkumara11.

{UserPrincipalName}

0 Kudos
DmitryKurdenkov
Enthusiast
Enthusiast
‎02-20-2020 11:02 PM

Hi, RickChau!

Do you send to the device Root CA certificate, that signed certificate for RADIUS server?

I have working process with Samsung rugged devices (5.1.1 and 6.0.1 android). There were no problems for me to set up certificate based WiFi on them.

0 Kudos
gmanjohal
Enthusiast
Enthusiast
‎09-23-2020 06:24 AM

Hi all,

I've had a whale of a time getting ISE and AirWatch to connect to our internal Wi-Fi using device certificates for both iOS and Android. Both had their respective issues, however now working. We are using Sectigo to issue certificates (hosted) and using the SECP protocol (I know I'm sorry 😞 ), although should work using ACDC as well.

So the CA is setup pointing to our SCEP URL and the template too, the Subject Name needed the full string in there which was one of the primary issues I had. I believe the SAN types had to be in there too.

iOS

This took a while but is the simplest by far, the only certs I needed were our internal root, the SSL cert issued by the public CA, and the internal CA. The Internal CA must be the Identity certificate. All certs also need to be set as trusted in the same payload and the trusted service certificate names need to be in for your domain (e.g. *.acme.com), we used EAP-TLS to authenticate and {EnrollmentUser} as our user name. The public roots are already installed on the devices by default so no need for those, and this got it working.

Android

From my findings, Androids needed the full chain of trust for everything. So they needed the Internal CA configuring, along with the public SSL cert as well as the Global Root and Intermediate certs that signed the SSL. The correct intermediate is needed as those aren't on the devices by default. The Internal root & intermediate were also required. I used SFA = TLS and {EnrolmentUser} as the Identity, the ID certificate needs to be the internal issuing CA and the Root needs to be the Public root you've uploaded.

Hopefully this helps someone who went through the hell I went through to get this working.

0 Kudos
Ramkumara11
Enthusiast
Enthusiast
‎09-23-2020 06:58 AM

Hi gmanjohal

Good to see u get it working.

IF u dont mind, can u share ur Wi-Fi payload and credentials payload screenshot?

I espeically want to see what is added in the "Credentials" payload?

WE are unable to setup Wi-Fi for droids phone. Note: WE use the PKI infrastructure tho, not scep.

0 Kudos
chengtmskcc
Expert
Expert
‎09-24-2020 07:23 AM

We have cert-based WiFi working as well with Cisco ISE only when 'Force WiFi Whitelisting' is not enforced.

I wonder if this setting is generally enabled among other AirWatch admins.

Ramkumara11
Enthusiast
Enthusiast
‎09-24-2020 08:35 AM

Hi @chengtmskcc

Can u share the screenshot of the profile?

0 Kudos
MaximeLELEU
Enthusiast
Enthusiast
‎12-16-2021 04:31 AM

Hi, I Have the same problem can you help me plz or share any doc ? 

thanks in advance

0 Kudos