Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

This thread has been viewed 45 times
  • 1.  ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Mar 14, 2023 09:23 AM

    I applied a new SAN certificate from an Apple trusted certificate authority (Go Daddy Secure Certificate Authority - G2). We verified the certificate is in the correct chain order per Aruba TAC (server -> intermediate -> root -> private key). Apple iOS devices identify the certificate as NOT TRUSTED. Considering trying a different CA on the Apple trusted listed. I attached a video of the warning from my personal iOS device (iPhone 13 Pro Max on iOS 16.3.1) and a screenshot comparing the HTTPS certificate details from Google Chrome with the CA listed on Apple's support site (List of available trusted root certificates in iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9 - Apple Support). Any ideas or suggestions would be greatly appreciated.



  • 2.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    MVP GURU
    Posted Mar 14, 2023 10:07 AM

    Can you show more details on this screen? Is there a root or intermediate certificate that may not be in the Apple trust store? The client will not check CN or SAN addresses because this happens before network access, so I suspect one of the certs in the chain is not currently in the trust store of the device. Have you also tried updating the iOS?



    ------------------------------
    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Mar 15, 2023 09:52 AM

    I think that is expected behavior (and checked with another network to confirm), because the SSID that you connect to (LCCC-Student) can not be verified against the certificate. That is because certificates are based on DNS names, where SSIDs can be arbitrary configured, which means there is no way to verify if the certificate matches the SSID.

    For Enterprise Authentication it is close to mandatory to use device management (Group Policies/MDM/EMM) or an onboarding system like ClearPass Onboard to configure the client. Manual configuration is nearly impossible to get secure without the end user exactly knowing what to do.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Jul 04, 2024 06:36 AM

    hi Herman,

    just seen this post from last year regarding Apple devices and untrusted root certs.

    Quick question.

    Do you mean the SSID the Apple device is connecting to must match the CN of the cert that is presented ?

    cheers

    Pete




  • 5.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Mar 15, 2023 11:21 AM

    Hi, can you show the SAN entries for the certificate and what is the URL configured in your captive portal?

    I hope this helps




  • 6.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Nov 28, 2023 05:32 PM

    Did you ever find a solution for this? I am running to the exact same issue with a GoDaddy G2 certificate. It seems to work fine on any other device type. Mac, iPhone and iPads all are experiencing the same untrusted certificate issue.




  • 7.  RE: ClearPass HTTPS\RADIUS Certificate not trusted by iOS devices

    Posted Dec 05, 2023 11:26 AM

    Check my response above, this very likely is expected behavior. Also a blog post from back in 2016 with a more extensive explanation.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------