iPad-iPhone connectivity on Enterprise Wifi.
I have been tasked with getting iPad’s and iPhones connected to our internal wireless network.
Currently:
We use two Cisco 4400 Wireless LAN Controllers with 1131AG access points. The WLC’s are located at our two largest offices. AP’s operate in Local mode where they coexist with the WLC and HReap at all other locations.
We use Windows 2008 R2 server as our domain enterprise CA and NPS (IAS) server.
The laptop WLAN is configured for 802.1x w/WEP passing the computer (not user) certificate through to the NPS server to grant access. Laptops currently running XP.
Wireless configuration and root CA certificates are distributed via Group Policies.
This all works well.
Introduce....the iPad!
I started with this Blog on technet ( http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issu ance.aspx )
Configured the following on a new WLAN.
WPA+WPA2 802.1x AES (no TKIP). AAA server is the same NPS/CA server used by the Laptops.
If (on the iPad) I manually select the new WLAN it prompts me for a user name and password. I enter it and it fails. This is actually expected by choice as we want the computer based certificate to be used for authentication. I mention this because I actually see the NPS server log a failed auth request with my user name etc. I know that the communication is getting through the Cisco WLAN WLC configuration.
Introduce the iPhone Configuration Utility
Created a profile to push the Wifi, enterprise root CA certificate, and SCEP. When I install the profile to the iPad it attempts to connect and errors with “Profile failed to install. A Network Error has occurred.”
The iPhone Configuration Utility Console logs the error below.
Mar 16 09:55:56 iPad profiled[1722] <Warning>: MC|Profile wifiprofile.hro.com failed to install with error: NSError 0x1ed8d170:
Desc : Profile Failed to Install
Sugg : A network error has occurred.
US Desc: Profile Failed to Install
US Sugg: A network error has occurred.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError 0x1ed8cdb0:
Desc : The profile HRO Wifi Profile could not be installed.
Sugg : A network error has occurred.
US Desc: The profile HRO Wifi Profile could not be installed.
US Sugg: A network error hasoccurred.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"HRO Wifi Profile"
)
...Underlying error:
NSError 0x1ed8c480:
Desc : A network error has occurred.
Sugg : bad URL
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code : 22005
Type : MCFatalError
...Underlying error:
NSError 0x1ed40dc0:
Desc : bad URL
Domain : NSURLErrorDomain
Code : -1000
Type : MCFatalError
Extra info:
Questions?
Bad URL??? The URL in the profile is correct and I can access it from any PC. Could this be a DNS issue, in that if the device is not allowed on the wifi yet, how can it perform a DNS lookup?
The Blog (see above) has left me with a few questions on the SCEP settings
Does the referenced “Subject” need to be the full AD path (backwards per the blog). i.e. AD: CN=ipad,OU=<device>,OU=<subcontainer>,OU=<subcontainer>,DC=Domain,DC=<rootdomai n>,DC=com
iPhone : O=com,O=<rootdomain>......
Does the O in fact translate to DC or should I be using DC instead?
NDES (on the CA) was installed using 2048 bit key. Does the SCEP setting in the utility need to match this or the key length of the root CA certificate. How do I determine the key length of the cert, I have looked at the properties of the CA cert but do not see it.
Per one of the blogs comments, do I in fact need a $ at the end of the device name?
This solution is still going to require that I have the device (iphone, ipad) in hand to install the profile. This will be a challenge with remote offices across the western US.
Ideally I would prefer for them to be prompted for the NDES key that I can read to them.
Thanks All
Currently:
We use two Cisco 4400 Wireless LAN Controllers with 1131AG access points. The WLC’s are located at our two largest offices. AP’s operate in Local mode where they coexist with the WLC and HReap at all other locations.
We use Windows 2008 R2 server as our domain enterprise CA and NPS (IAS) server.
The laptop WLAN is configured for 802.1x w/WEP passing the computer (not user) certificate through to the NPS server to grant access. Laptops currently running XP.
Wireless configuration and root CA certificates are distributed via Group Policies.
This all works well.
Introduce....the iPad!
I started with this Blog on technet ( http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issu ance.aspx )
Configured the following on a new WLAN.
WPA+WPA2 802.1x AES (no TKIP). AAA server is the same NPS/CA server used by the Laptops.
If (on the iPad) I manually select the new WLAN it prompts me for a user name and password. I enter it and it fails. This is actually expected by choice as we want the computer based certificate to be used for authentication. I mention this because I actually see the NPS server log a failed auth request with my user name etc. I know that the communication is getting through the Cisco WLAN WLC configuration.
Introduce the iPhone Configuration Utility
Created a profile to push the Wifi, enterprise root CA certificate, and SCEP. When I install the profile to the iPad it attempts to connect and errors with “Profile failed to install. A Network Error has occurred.”
The iPhone Configuration Utility Console logs the error below.
Mar 16 09:55:56 iPad profiled[1722] <Warning>: MC|Profile wifiprofile.hro.com failed to install with error: NSError 0x1ed8d170:
Desc : Profile Failed to Install
Sugg : A network error has occurred.
US Desc: Profile Failed to Install
US Sugg: A network error has occurred.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError 0x1ed8cdb0:
Desc : The profile HRO Wifi Profile could not be installed.
Sugg : A network error has occurred.
US Desc: The profile HRO Wifi Profile could not be installed.
US Sugg: A network error hasoccurred.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"HRO Wifi Profile"
)
...Underlying error:
NSError 0x1ed8c480:
Desc : A network error has occurred.
Sugg : bad URL
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code : 22005
Type : MCFatalError
...Underlying error:
NSError 0x1ed40dc0:
Desc : bad URL
Domain : NSURLErrorDomain
Code : -1000
Type : MCFatalError
Extra info:
Questions?
Bad URL??? The URL in the profile is correct and I can access it from any PC. Could this be a DNS issue, in that if the device is not allowed on the wifi yet, how can it perform a DNS lookup?
The Blog (see above) has left me with a few questions on the SCEP settings
Does the referenced “Subject” need to be the full AD path (backwards per the blog). i.e. AD: CN=ipad,OU=<device>,OU=<subcontainer>,OU=<subcontainer>,DC=Domain,DC=<rootdomai n>,DC=com
iPhone : O=com,O=<rootdomain>......
Does the O in fact translate to DC or should I be using DC instead?
NDES (on the CA) was installed using 2048 bit key. Does the SCEP setting in the utility need to match this or the key length of the root CA certificate. How do I determine the key length of the cert, I have looked at the properties of the CA cert but do not see it.
Per one of the blogs comments, do I in fact need a $ at the end of the device name?
This solution is still going to require that I have the device (iphone, ipad) in hand to install the profile. This will be a challenge with remote offices across the western US.
Ideally I would prefer for them to be prompted for the NDES key that I can read to them.
Thanks All
iOS 4