Security

Reply
Contributor I

EAP-PEAP 802.1x Expiring Certificate Replacement iOS Challenge

Airheads,

 

We are approching certificate expiry on our EAP-PEAP 802.1x SSID. I'm testing the behavior of different devices when they are presented with a renewed certificate with the same CN. The ceritifcates come from a public widely trusted CA. It appears that most devices handle this well. Windows and Android re-auth/reconnect without a glitch. However, Apple iOS devices do not, the user would be forced to manually go to WiFi properties select the affected SSID, click join and Trust. I haven't had a chance to test with Apple Mac OSX but I suspected it will reconnect fine.

 

Reaching out to the community to see what other people have experienced when performing 802.1x EAP-PEAP certificate renewals on iOS devices. Is there any way to avoid the iOS device requiring to Trust the updated certificate? Any other challenges with other devices? I know we can send a targeted e-mail to all SSID iOS users with instructions on how to proceed but this would be less than ideal. We do not use OnBoard or Quickconnect for connection setup.

 

I'm testing this on a NPS radius but I suspect the same would apply for Clearpass for which I don't have a test env up and running at the moment. What type of alert output would we expect in Access Tracker for iOS clients trying to connect and not aware of the new ceritifcate? Client did not complete EAP transaction/TIMEOUT?

 

Thank you in advance for any insight or ideas on this matter,

Peter

Guru Elite

Re: EAP-PEAP 802.1x Expiring Certificate Replacement iOS Challenge

How are the device supplicants configured today?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP-PEAP 802.1x Expiring Certificate Replacement iOS Challenge

Tim,

Manually mostly, domain joined Windows through Group Policy.

Peter
Contributor I

Re: EAP-PEAP 802.1x Expiring Certificate Replacement iOS Challenge

Any input on how other people have handled their EAP-PEAP certificate replacement? It appears that Windows machines and some MAC OS versions don't tolerate this change either..

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: