VMware Workspace ONE Community
mcvosi
Enthusiast
Enthusiast

EAP-TLS Wi-Fi on iOS and macOS

I have EAP-TLS auth using NPS working for my Windows devices, but I am struggling to get it working for iOS and macOS devices. I have tried everything I can think of. Certs get installed on devices, however I keep getting reason code 23 on NPS. 

Labels (1)
36 Replies
meedzy75
Contributor
Contributor

Hi,

Had the same problem and managed to find the solution yesterday.

While using NPS as a Radius Server, when the NPS server receives an Access-Request, it first looks for a match for the username provided in Active Directory. That means you need to create either a computer AD object or a User object depending if you're using a user or computer certificate

If you're using a User certificate, the certificate must contain the user UPN in the certificate SAN Object. Then, when connecting, you need to provide the certificate and the user UPN as a username in the SSID prompt.


If you're using a computer certificate, the certificate must contain the computer DNS name in the SAN object. Then you need to provide the machine hostname as a username, plus you need to add the sign "$" at the end. If you don't, the NPS will look  for a match in AD User database and won't find any.

For example if you're apple device name is MYLAPTOP, you'll put "MYLAPTOP.DOMAIN.COM" in the SAN;
Then you 'll connect with the certificate and with "MYLAPTOP$" in the username field .

Hope that helps

Tags (1)
mcvosi
Enthusiast
Enthusiast

Hello, thx for your reply. I am really struggling with this.

I do have the user's email address in the SAN, but I'm not even getting to the point of it asking what cert to use. The iOS device immediately just says it's unable to join.

I did finally get one device to join properly, but another will not. I notice under the certificates that the device not able to join for some reason has a blank Subject in its certificate. I have no idea why?! The other seems to work fine.

 

Reply
0 Kudos
meedzy75
Contributor
Contributor

Ok then what do you put as your certificate CN ?
In my case I use the usernamewithout the domain as the CN
And then I use the UPN as the SAN.

Reply
0 Kudos
meedzy75
Contributor
Contributor

Regarding my last reply, I know that you don't get asked for your certificate.
That might be because there is no suitable certificate on the device.

That's why I'm asking for your CN.

Check this link for more info https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-require...

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

Working one has email address as the CN. 

One that doesn't work has no CN and I'm not sure why?!

 

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

I feel like this may be the problem -- the template.

Screenshot 2024-02-23 at 11.51.58 AM.png

Reply
0 Kudos
meedzy75
Contributor
Contributor

Ok I think I get it now. Yeah the fact that you have no CN is definitely the problem.
A certificate with no CN in not suitable at all.

What are you using to request certificates from your PKI? Is it scep?

In this case, you must configure your scep server to supply the username as CN in the certificate request.

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

I'm using ADCS, not SCEP.

Reply
0 Kudos
meedzy75
Contributor
Contributor

I'm not very familiar with this kind of configuration.

I think, if you use ADCS, your apple devices need to be joined to the domain in order to request their own certificates.
The option in your screenshot is used in that case. For that in the Security tab of your certificate template, you must add an AD group in which your devices are located and allow them to Enroll.

meedzy75_0-1708712431896.png

 

If you're the one requesting the certificates then importing them into your devices keychain. Then you must supply the CN when requesting the certificate

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

OK, that does sound more involved than I'd like. This is a new implementation, so it's not too late to move to SCEP.

This is the guide I followed: Setting up a 3rd Party CA with Workspace ONE in your Lab Environment – Steve The Identity Guy

Reply
0 Kudos
meedzy75
Contributor
Contributor

Before using scep, let's try and make sure the issue is only with the CN.

Try and use a template certificate with the option "Supply in the request" in the Subject Name tab.
Make sure you have the enrollment rights and just request your own certificate unsing MMC. You should be able to choose the CN and SAN.
Make sure you put the username in the CN field and the UPN in the SAN field

Then import the certificate on your device and try to connect.
Don't let the language disturb you, my laptop  is in french

meedzy75_0-1708715773531.png

 

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

Manually requesting the cert via MMC did give me a CN, so I presume it would work. So, the issue is with the template I suppose?

 

Reply
0 Kudos
meedzy75
Contributor
Contributor

Yup I guess it is pretty clear now.
How is your template configured in the Subject Name tab?
And how do your devices request the certificates?

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

It's configured as Supply in the Request.

 

I tried manually installing the certificate and it's not allowing me to select the certificate to authenticate on the iOS device.

Reply
0 Kudos
meedzy75
Contributor
Contributor

Supply in the request means someone needs to request it just like you did manually.
When you exported the certificate did you also export the private key? Doing so, you mus get a PFX file password protected. That's the one you need to import on the IOS device. In fact you need to install it as a configuration profile.

You also need to installe the Root CA certificate.

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

OK, yes I figured as much afterwards. Manually installing the cert allows me to authenticate properly. So, the question is what's wrong with the template?

 

Reply
0 Kudos
mcvosi
Enthusiast
Enthusiast

This is what I have in the request.

Screenshot 2024-02-23 at 2.11.45 PM.png

Reply
0 Kudos
meedzy75
Contributor
Contributor

I'm not sure you can use the UPN as a CN. Try and compare with your windows devices certificate. What CN do you have?

In my case I'm using the "Fully Distinguished Name" in the CN field and it's working.

Reply
0 Kudos
meedzy75
Contributor
Contributor

Plus since, the data ard provided in the request, there is nothing wrong with the template.
Problem must bethe CN field in your request

Reply
0 Kudos