Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

iPad can't get in the internet via a WPA2 Enterprise setup

I've seen some similar posts and no real answers. My Office just got set up with Wireless, it's cisco gear and using RADUIS to authenticate. What they told us to do on the windows boxes was this:

Connect to the SSID
use WPA2 Enterprise Authentication
TKIP Encryption
Use PEAP Authentication
Uncheck the "Validate Server Certificate"
Authentication Method is EAP-MSCHAP v2 on the PEAP properties screen

Following these instructions on Windows 7 I can get on the network.

I tried this on my iPad:
connected to the network
selected WPA2 Enterprise
It Prompted my for my login/password
I entered them....
Then I got a certificate and it asked me to accept/install it, and I did
Then it connects to the access point and gets a signal
Even though I am connected and authenticated I can't get on the internet, and I get no IP address. Not a DHCP issue since other devices work.

Any ideas on alternate configurations, or what I'd need to do with the iPhone Configuration Utility to get this working?

iPad WiFi + 3g 64gb, iOS 4, Running 4.2.1

Posted on Dec 14, 2010 10:00 AM

Reply
14 replies

Dec 14, 2010 12:15 PM in response to Skarin

Hello Skarin!

So at this point, have you sent a Configuration Profile to your iPad using the iPhone Configuration Utility? If not, it should be as simple as downloading it to any computer, then connecting your iPad. Here are some rough steps you will need to follow once it is installed:
1) Create a new Configuration Profile
2) Fill out the General tab with your information
3) Add a WiFi payload, specifying the SSID, Security Type (WPA2 Enterprise), and then selecting PEAP as your Protocol. You may also want to fill out your Domain\Username under Authentication.
4) Install this profile on your iPad, then try to connect under the WiFi tab again.

Let me know if this works... I'm kinda curious =)

Dec 14, 2010 2:08 PM in response to roguepacket

I had tried that before, but it didn't work. Just for fun I tried again, it asked me to confirm the certificate from the server, I did, and then the same thing as before, no actual connection. Just a self-assigned IP(169.X.X.X range). Any other clever ideas? I'm about out of them, and fairly frustrated. There's gotta be a way to make this work, right?

Dec 15, 2010 8:13 AM in response to Skarin

From the sounds of things, you're 2/3 of the way there - your iPad is talking PEAP to the AP, and there shouldn't be a trust issue as you are manually accepting the certificate. That only leaves an Authentication issue. Are you specifying your Outer Identity in the iPhone Configuration Tool, as well as properly specifying your DOMAIN\USERNAME credentials? In most cases, the Username and Outer Identity should be the same, but it all depends on what the RADIUS server on the far end of the AP is looking for.
It is possible that something else is happening on the network (MAC filtering, Windows Network Protection Service, etc.) to proactively block your attempts to connect, but the only way to know about these is to ask your friendly local administrator (if you have one).
And yes, this should definitely be possible... =)

Dec 15, 2010 9:45 AM in response to roguepacket

Yeah, I know I have to be close, since it gives me the cert to accept, and then actually "connects" to the AP and holds a connection.

I've tried every combo I can think of with the username and outer identity.
I've done with and without domain on both sides in all 4 combos. I also tried no outer identity. All 4 scenarios worked exactly the same with the OID, I apply the profile, then connect to the AP, it shows me the cert to accept, then associates with the AP and then, nothing. When I didn't specify one, it prompted my for credentials and a "mode" and they didn't work at all.

You have NO IDEA how much I appreciate the help troubleshooting here. Since the iPad is an "unsupported" device they won't really help me get it set up, I can connect it if I can make it work, but the admins are no real help.

I was able to connect a non-domain member windows laptop to the wifi, so that means they aren't filtering MACs or domain accounts, etc, right?

Any other things you can think of on my side, or what to specifically try to get out of the Admin group that might help?

THANKS!!!

Dec 16, 2010 8:37 AM in response to Skarin

"Unsupported" device - I've heard that before, too many times... =)
So after thinking on everything you've tried, it's safe to say that your AP is running PEAPv0 with EAP-MSCHAPv2 for Authentication. This is good news - as it is probably the most widely used Enterprise WiFi configuration, iOS devices should absolutely be compatible with this. Getting a non-domain XP PC connected was a great idea, as I have discovered that Windows XP is kind of "loose" in the way it handles PEAP certificates - it will accept any certificate given to it by a RADIUS server without question. Undoubtedly a big security hole, but it does have the advantage of being "user friendly." I don't think Apple's implementation is quite as loose, so even though you are manually accepting one certificate, you probably need more to complete the chain of trust required for your device to authenticate the server. This is a requirement for PEAP to function.
So at this point, I think your best bet would be to migrate over to the Credentials tab. If you're running the iPhone Config Utility on a PC which connects to the AP, you already have the certificates in your trusted certificate store - so simply hit the add button and add any relevant certificates. For example, if your domain is named "corporate", import any certificates bearing that domain. Once you've done this, head over to the Trust tab under WiFi and check off your newly imported certificates as being trusted for your connection.
In addition, if you can figure out what the name of the RADIUS server on the other end of the AP is doing the authentication, add it under "Trusted Certificate Names" - if you don't know it, you can also add a wildcard like "*.corporate" to trust any servers in your domain. This shotgun approach is probably your best bet for making it go initially.
You will know this is all working when you no longer get the dialog on your iPad to accept the certificate, and hopefully, you get an IP address.
We're truly in the thick of it now, and this is my last idea - so if this does not work, we will need to call on those stronger than I with iOS networking... or, you can call up your IT department and start the conversation off with the words "I bet you can't figure this out" - that always gets IT people going =)
Best of luck!

Sources:
http://howto.techworld.com/mobile-wireless/3451/use-peap-for-wireless-authentica tion/

http://images.apple.com/ipad/business/pdf/iPadDeploymentScenarios.pdf

Dec 16, 2010 10:13 AM in response to roguepacket

Thanks again for the help here, tried running the config app on the windows box that has the certs installed, imported them with the mobile config, and you are right, it didn't prompt to install the cert, but I still get the auto-config IP and no connectivity. Tried a static IP, just for fun, and still nothing.

Looks like I'll have to try to sweet talk the network admins into helping out. 😟

If you have any other ideas, let me know! You're my hero man!

Jan 18, 2011 2:15 PM in response to Skarin

i'm a network manager and run a Cisco wireless network for my users. The iPad and iPhone generally work right off the bat withouth any changes, even though you can make some adjustments if you wish - We don't enforce any of these here (they would be RADIUS settings) as the security that the ipad and iphone set up are acceptable although technically could lead to (at least in theory) a faked SSID with the same name as your being setup in an effort to capture details. Anyway, the fact that you get the cert is a good sign.

Personally (and this does depend on RADIUS setup and backend database) we prefer users to use the following username convention:

username@domain

If you see wireless symbol after this point you have passed the 802.1x login. Even with our systems 802.1x is quite tempremental on the DHCP side of things and to Cisco WCS/WLC combination (which I am guessing your company will be using) also can enforce DHCP etc, but also has the ability to block clients it thinks are a threat.

The best piece of adivce I can give you is that network engineers don't like to be told what the problem is, however if you talk to them with respect (rather than treating them like something you walked in) and ask for help this usually works. Especially if you show them your shiney toy!

BTW, for the most part with Cisco wireless systems, if you try using a static IP Address that is a sure fire way to get your device excluded (black listed) which might be timed but maybe permanent (ie needs your network admins to manually remove).

Lastly I know that of a dozen or more ipads in my local area that successfully connect to our wireless system which based upon your description sound very similar to yours.

Paul

Feb 17, 2011 12:16 PM in response to ramirezh

Are you using a proxy server? If so (like our corporation. I set the proxy server one the wireless tab to MANUAL and then put in my PROXY SERVER, turn on Authentication and enter my username and password. Once the Proxy information is setup it will allow you access except for what ever is blocked by the corporation in the proxy. (usually YouTube, facebook, and for whatever reason dropbox is also blocked.) Usually, I go to Safari and see if I can access the outside world (www.google.com) if it is set up correctly it will load.

I am trying to work on a solution to get the proxy to work with exceptions but haven't quite figured it out yet. I work in our corporate IT organization but this is still uncharted territory and makes most IT people nervous.

Mar 30, 2011 11:21 AM in response to Skarin

Skarin wrote:
Uncheck the "Validate Server Certificate"
Authentication Method is EAP-MSCHAP v2 on the PEAP properties screen


Mac OS X, and iOS by extension, do not allow you to ignore the server certificate, which is what that first line effectively does. You must use an actual certificate, which is signed by a trusted root (which can even be your own root CA, but it's got to be signed by something besides itself.)

Secondly, Mac OS X (and iOS) do not support EAP-MSCHAPv2 inner authentication for 802.1x. To get around this where I work, we enabled TTLS / MSCHAPv2 authentication on the RADIUS server in addition to the PEAP / EAP-MSCHAPv2 authentication, and all things Apple work great with the same functional security. This was on a Juniper Networks SBR RADIUS server.

Short version: get a non-self-signed certificate, and set up TTLS. Is it a PITA, sure; but it's what works.

Message was edited by: Christopher Flanagan

May 19, 2011 5:35 AM in response to Skarin

I found a similar issue.

WPA2 Enterprise network with HP APs and Microsoft Internet Security and Acceleration Server.


I can find the network, I can enter login details as "domain\username" and "password". I can accept a self signed certificate and get properly configured DHCP address. However local DNS doesn't seem to wotk.

I configured network on iPhone/iPad by forcing OpenDNS addresses for the DNS and I managed to get to the Internet.


Unfortunately, after a random period of time (most of the times after the device has been put to sleep), the Internet doesn't work anymore. Connection is still there and the IP is the same, but I can't ping anything outside local network. Sometimes I can get on the Internet again by simply turning wifi OFF and ON.


This behaviour is severely restricting iOS devices adoptions. By now the are forced to connect via 3G connection (which is quite fast here anyway...).


Any clue? 🙂

Aug 19, 2011 1:02 AM in response to Skarin

Hi Skarin,


i my case witch was almost identical ( Cisco AP 1130 / MS 2008 R2 NPS as Radius / EAP / PEAP ) I was successful with switching from TKIP to AES-CCMP as Encryption Cipher.


In my Case this setting was in the the Configuration on the Standalone AP ( cause we don´t have controller Besed WLAN ).


Hope this helps somebody.

iPad can't get in the internet via a WPA2 Enterprise setup

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.