Wireless Access

 View Only
last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Certificate based authentication fails for ios 16

This thread has been viewed 18 times

  • 1.  Certificate based authentication fails for ios 16

    Posted Nov 23, 2022 05:19 AM
    Hi,

    running ArubaOS 8.6.0.17

    noticed certificate based authentication fails on an ios 16.1.1 device.  Replicated this on two different devices.  Possibly this worked if the certificate was installed on a pre ios 16 device, which was then upgraded.  But certainly when the certiciate is installed on an ios 16.1.1 device, authentication fails.  Installation of the cert itself succeeds.  But after installation, authentication to the wireless network fails.  To be clear, this is working for a few hundred existing ios devices (running most likely an older ios version, or were upgraded to ios 16 when the certificate was already installed before the upgrade) .  So most likely this is ios 16.1.1 related.  The auth-tracebuf shows me : 

    Nov 22 10:48:10 station-up * e6:b8:dc:47:87:80 24:62:ce:43:87:90 - - wpa2 aes
    Nov 22 10:48:10 eap-id-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 1 5
    Nov 22 10:48:10 eap-id-resp -> e6:b8:dc:47:87:80 24:62:ce:43:87:90 1 32 blablabla@group.com
    Nov 22 10:48:10 rad-req -> e6:b8:dc:47:87:80 24:62:ce:43:87:90 80 232 192.168.101.248
    Nov 22 10:48:10 rad-resp <- e6:b8:dc:47:87:80 24:62:ce:43:87:90/SRV-BE-DI-141 80 90
    Nov 22 10:48:10 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 2 6
    Nov 22 10:48:10 eap-resp -> e6:b8:dc:47:87:80 24:62:ce:43:87:90 2 161
    Nov 22 10:48:10 rad-req -> e6:b8:dc:47:87:80 24:62:ce:43:87:90/SRV-BE-DI-141 83 399 192.168.101.248
    Nov 22 10:48:10 rad-resp <- e6:b8:dc:47:87:80 24:62:ce:43:87:90/SRV-BE-DI-141 83 1188
    Nov 22 10:48:10 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 3 1096
    Nov 22 10:48:10 eap-resp -> e6:b8:dc:47:87:80 24:62:ce:43:87:90 3 6
    Nov 22 10:48:10 rad-req -> e6:b8:dc:47:87:80 24:62:ce:43:87:90/SRV-BE-DI-141 84 244 192.168.101.248
    Nov 22 10:48:10 rad-resp <- e6:b8:dc:47:87:80 24:62:ce:43:87:90/SRV-BE-DI-141 84 980
    Nov 22 10:48:10 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 4 890
    Nov 22 10:48:15 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 4 890
    Nov 22 10:48:20 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 4 890
    Nov 22 10:48:25 eap-req <- e6:b8:dc:47:87:80 24:62:ce:43:87:90 4 890
    Nov 22 10:48:30 dot1x-timeout * e6:b8:dc:47:87:80 24:62:ce:43:87:90 4 3 server timeout
    Nov 22 10:48:30 dot1x-timeout * e6:b8:dc:47:87:80 24:62:ce:43:87:90 5 2 station timeout

    Anyone experienced something similar?

    __PRESENT


  • 2.  RE: Certificate based authentication fails for ios 16

    MVP EXPERT
    Posted Nov 23, 2022 05:53 AM
    I’ve got 16.1.1 on my iPhone, just used onboard to instal a cert from cppm 6.10.7 for testing wpa3-enterprise … works just fine. For wpa2-enterrprise and wpa3-enterprise on. Aruba’s 8.10.0.5

    a


    Original Message


  • 3.  RE: Certificate based authentication fails for ios 16

    Posted Nov 23, 2022 09:52 AM
    Ok, good to know.  Here we use a Windows nps server as radius server.
    Original Message


  • 4.  RE: Certificate based authentication fails for ios 16

    EMPLOYEE
    Posted Nov 23, 2022 10:08 AM
    Do you see any error message on the phone? Do you see anything in the RADIUS server logs regarding this client?

    The auth-tracebuf suggests that the client and RADIUS server go in conversation, but then the server (or client) stops responding. If you can capture the RADIUS traffic, you may be able to see some TLS/SSL error code, but unfortunately clients also sometimes just stop (maybe in order to not give away too much information to a possible attacker). It may be that the client does not trust the server certificate, or the cryptographic algorithms used are no longer supported by IOS16.

    Aruba TAC may be able to assist you with analyzing these traces/this issue. I can't see many issues reported through our TAC, so the issue may be specific for something in your deployment.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Certificate based authentication fails for ios 16

    Posted Nov 24, 2022 08:50 AM
    Hi, Did you install in the Iphone the Root CA Cert that signs the NPS (Radius) certificate?

    Original Message


  • 6.  RE: Certificate based authentication fails for ios 16

    Posted Nov 24, 2022 09:02 AM
    Hi, yes the root cert has been installed.

    Kind regards,

    Peter Nobels | System Manager
    OM - BISS
    E: Nobels.Peter@deme-group.com
    T: +32 3 250 56 41 | M: +32 470 89 26 54
    DEME Group | www.deme-group.com |      


    Legal disclaimer | This e-mail (communication and any attachment) may contain proprietary and/or confidential information and is solely intended for the addressee. If you are not the intended addressee, or have otherwise received this e-mail in error, please notify the sender and delete this e-mail, including any attachment, immediately. Any disclosure, copying or distribution of this e-mail is strictly prohibited. This e-mail is not to be considered as a representation of any kind by the sender or the company, and the company has taken reasonable precautions to ensure no viruses are present in this e-mail, such that neither the company, nor the sender shall be liable for any loss or damage arising from any use of this e-mail. 



    Original Message


  • 7.  RE: Certificate based authentication fails for ios 16

    Posted Nov 28, 2022 06:58 AM
    Following up on this...  My collegue's Iphone running the latest ios 16 had the same issue.  However, after some time a popup appeared, allowing to accept the radius certificate.  After that the connection to the wifi succeeds.  This seems an alternative way of trusting the radius server.  However i never get this message on my own ios device.  The conclusion so far is that when the trust message appears for the radius server, somehow this trust does not succeed.  After digging a bit more i found i'm not the only one with this issue...    See threads :

    https://discussions.apple.com/thread/254323933
    http://www.edugeek.net/forums/wireless-networks/229440-ios-16-beta-radius-auth-wireless-networks-failed.html
    Original Message