Security

Reply
MVP
Posts: 765
Registered: ‎03-25-2009

iOS "not verified" for trusted certificate

Was trying to get our wifi up and running with trusted certificates so nobody would ever have to click through any warning anymore and get used to this and actualy take notice somewhere down the line when they do get a valid warning.

 

For this we're using a publicly signed radius/webserver certificate on our Clearpass server. This works great without any warnings for guests on our guest portal and internal clients except for iOS clients.

 

The iOS clients keep throwing up a "not verified" for the certificate even though the certificate is issued by a root CA that is included in Apples own iOS 8: List of available trusted root certificates.

 

Does anybody have an idea why iOS would keep throwing up this warning with a completed trust chain? Or better yet, how to solve it?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: iOS "not verified" for trusted certificate

There might be an intermediate cert not in the trust list. You should make sure all certs are combined into the cert on CPPM. It might also be trying OCSP lookup and that is causing the error. I couldn't tell you for sure without looking at it. You can test by emailing all the individual certs to a IOS device and installing one at a time to see what cert is causing the error.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: iOS "not verified" for trusted certificate

You will always get Not Verified unless you pre-configure clients with a profile. It's a normal part of the EAP server validation process. It's just like the pop up you get on Windows and Mac. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 765
Registered: ‎03-25-2009

Re: iOS "not verified" for trusted certificate

I'm confused.. 

Why would the device need an explicit trust of the intermediate CA? If the root CA is trusted then automatically we can trust intermediate and finaly server certs no?

 

And OCSP.. wouldn't the supplicant be smart enough to know it's not possible the do an OCSP check before you're authenticated?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: iOS "not verified" for trusted certificate


koenv wrote:

I'm confused.. 

Why would the device need an explicit trust of the intermediate CA? If the root CA is trusted then automatically we can trust intermediate and finaly server certs no?

 

And OCSP.. wouldn't the supplicant be smart enough to know it's not possible the do an OCSP check before you're authenticated?

 


Koenv,

 

Apple is probably the best person to asky why its supplicant behaves that way :  https://discussions.apple.com/thread/5967450

 

In addition, OCSP is only used to determine if a certificate is revoked or not.  That requires an internet connection, so it is not applicable in the 802.1x context from the client perspective, where authentication occurs before a connection is made. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: iOS "not verified" for trusted certificate

That specific not verified message is there because you have not previously defined the RADIUS server's identity. 

This will happen the first time the user hits a new authentication server for each SSID. 

The only way to prevent this is to pre-configure clients using Apple profiles (QuickConnect standalone, Onboard or Profile Manager)


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 765
Registered: ‎03-25-2009

Re: iOS "not verified" for trusted certificate


cappalli wrote:
That specific not verified message is there because you have not previously defined the RADIUS server's identity. 

Do I understand that the issue is not the certificate itself but rather that I haven't told iOS anywhere what my radius server would be?

That kinda makes sense.

 

Gues this will be 1 warning our users will just have to click through untill we setup onboarding for them.

Thanks all for the responses!

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: iOS "not verified" for trusted certificate

Thats what I get for answering questions at 4 AM. :) Tim is correct. You will always see that on the first time you connect. I thought you were talking about the error showing up while you were running the onboarding process and the popup was showing during the profile install.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 26
Registered: ‎06-29-2012

Re: iOS "not verified" for trusted certificate

Hello

 

I am going a long way around the same issue with Support.

 

Is it fair to say that Apple IOS, reuqires the validation of the clearpass certificate through manual user validation when connecting via 801.1X on the initial connection. We only have an issue when connecting to the SSID for the 1st time and was expecting the local device Apple trust store to validate our Publicly signed certificate. We have no issues with Onboarding.

 

We have tested in IOS8 and IOS9 just this morning and behaviour is still the same.

 

Thanks

Ken 

Spoiler
Ireland for the Rugby World Cup
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: iOS "not verified" for trusted certificate

So these devices are fully Onboarded or are they connecting using username/password?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: