[RADIATOR] iOS5 and untrusted/not verified EAP certificates

Heikki Vatiainen hvn at open.com.au
Thu Feb 9 08:55:09 CST 2012 

On 02/09/2012 03:08 PM, Mike Puchol wrote:

Hello Mike,

> I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> being on the list of trusted CAs by iOS (I even checked the serial
> number, which is good), I get the following on the iPad's debug console:

I get the following certificate dialog when joining a WPA-Enterprise
network for the first time:

           Certificate
*cn.from.certificate*    (e.g. radius.example.com)
thawte Primary Root CA

*red*Not Verified*red*     button:Accept

Description: Client Authentication
Expires: 27.11.2013 1.59.59

More details >


The root CA is from thawte, as seen above, and Radiator sends full
certificate chain linking the root via the intermediary CAs to
radius.example.com's certificate.

So the root CA is known by iOS, certificate chain is complete and
everything is good. However, it still displays the red 'Not Verified'
and Accept button. Once Accept is chosen, the dialog does not come back
when rejoining the network.

The only way to get rid of all dialogs has been to use the configuration
utility and create a profile.

Note: there was no 'Add certificate', 'bad certificate' or red button.
If you see those, maybe the certifiate chain RADIUS server sends is not
complete. It does display 'Not verified', though, when not configured
with external profile.

Heikki

> Feb  9 14:02:08 Mikes-iPad kernel[0] <Debug>:
> AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK,
> index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
> Feb  9 14:02:08 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:08 Mikes-iPad Preferences[93] <Warning>:
> -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User
> Information required
> Feb  9 14:02:10 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:16 Mikes-iPad eapolclient[149] <Notice>:
> peap_verify_server: server certificate not trusted, status 3 0
> 
> The iPad then shows up an "Add certificate" dialog, but with a big red
> button and the text "Not verified". My guess is that it's trying to
> check a CRL, but of course, being still offline, this cannot be done.
> 
> Has anyone successfully connected an iOS5 device using EAP without "bad
> certificate" warnings? As clarification, I'm not using provisioning
> profiles, so the iPad doesn't "know" the network when it first connects
> to it.
> 
> Cheers,
> 
> Mike
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list