On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok I may have spoken too soon. I just found this online: "Apparently starting with iOS 9.1, if the RADIUS cert does not contain the "Key Encipherment" flag, iOS will reject authentication with: Oct 1 11:27:29.752545 TiPadAir2 eapolclient[455]: [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not trusted status 1001 -9807"
That's not *quite* what it says: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Secu... ... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ... I haven't seen any problems with iOS.
I'm guessing this is probably what I need to do to get this to work. Anyone know what this "Key Encipherment" flag is, and how to include it in the Radius cert?
My guess is that you created a server certifcate without the xpextensions file. i.e. printing a *good* certificate gets me: ... X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://www.example.com/example_ca.crl ... Your server certificate is probably missing those extensions. Fix that, and you won't need the key usage flag. Alan DeKok.