Yes, the behavior is different per device, and that is exactly the reason why you should never use EAP-PEAP in BYOD like situations.
Some devices prompt the user for a certificate, others even don't, and if there is a rogue authentication server users will likely leak their user credentials.
If you have an MDM (you mention JAMF), make sure that you push the RADIUS server's root CA (a private PKI certificate is recommended for EAP), and strictly control the certificate trust and make sure that users cannot accept a rogue server certificate. Without an MDM or proper provisioning tool, you should not deploy PEAP-MSCHAPv2.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 11, 2022 06:13 AM
From: Inzamam Shahid
Subject: EAP-PEAP
My further question is I have a Samsung phone if I forget the network, I do not need to trust the cert. This device is not a managed device.
I have iphone that is managed by JAMF, if I forget the network and connect I need to trust the cert for the first time.
Is this behaviour different per manufacture and device?
Original Message:
Sent: Aug 11, 2022 05:56 AM
From: Bruce Osborne
Subject: EAP-PEAP
If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.
Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP
Hi,
If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances.
Is there anyway around of having to trust the certificate and automatically connect?
Thanks,