@cjoseph wrote:
@raphael wrote:
Hey Colin,
The certificate is definitely selected within the NPS policy.
There are two certificates on the server, one generated by the MS Root CA, and one from GoDaddy.
With the certificate issued by the MS Root CA selected, iOS, Mac, etc can connect OK (obviously with the Accept/Trust prompt upon connection. As soon as they select the GoDaddy cert, the iOS + Macs can no longer connect (tried on a number of devices to make sure nothing was being cached...).
FYI - The MS Root CA is not currently an option, as it's being decommissioned very shortly, plus they wanted the added benefit of a public root Ca so that other devices would not get prompted upon connection (although understand that not all devices come loaded with every root CA).
If the Certificate does not work, you should contact GoDaddy to make sure that you are handling the certificate correctly and it is indeed for the purpose you intended. At minimum, it should work with the IOS devices. You should NOT have to change anything on the Aruba Controller.
The only organizations who benefit from a public CA are organizations who have a large number of devices that they do not control, like Universities. If the majority of an organization's devices are part of their domain, their domain devices automatically trust the enterprise CA and group policy can be used to push the WLAN configuration without intervention from their helpdesk or the end user. Even though you purchase a certificate from a public "trusted" CA, not all devices will trust it, and many of the devices that do trust it, like IOS, still require people to click on "Accept" the first time they see a certificate, which negates this benefit. In addition, non-domain Windows users require helpdesk to touch all of their devices to make them connect, anyway, EVEN if they trust the certificate, just like the private CA.
Hi, sorry to bring this thread from the dead but its a high ranking search result on this topic and wanted to ask a question regarding this specific post.
You said that "in addition, non-domain Windows users require helpdesk to touch all of their devices to make them connect, anyway, EVEN if they trust the certificate, just like the private CA."
However, it must be possible to avoid this because time warner cable does it with their wifi-passpoint service. It uses 802.1x EAP-PEAP MSchapv2 and while the user must accept their public cert in IOS, in Windows they dont have to accept anything and it just works (without messing with server certificate at all). All a user of twcwifi-passpoint has to do is enter their username and password and it connects in windows 7 with no error and not even a warning or a prompt to accept the cert.
I have a large number of non-domain devices (android, IOS and windows) that i want to be able to use wpa2 enterprise on my network with only a eap-peap username and password. I am ok with them having to accept the certificate on first connect but currently non-domain windows machines just error out and dont even ask about the certificate. Upon adding the server certificate to the windows machine they still get an error (this is the error: http://i.imgur.com/i1jZI1Y.png).
I want to do what timewarner cable has done with their passpoint service and get it so windows, android and ios can all connect with out messing with server certificates and custom settings, i just want them ot be able to enter a username and password. It seems it must be possible since TWC is doing it with passpoint as can be seen here in their video: https://youtu.be/hHP9B-C_mYg?t=102
I know they are using a public certificate and I am ok with buying one but I had ruled out that idea based on the comment in this thread i referenced above about non-domain windows machines still needing custom setup by helpdesk. After seeing what TWC is doing with passpoing i realized i should revisit this idea.
Thanks.