[EXT] Client Compatibility with PEAP and Certificates

[Brian Julin]

Shan wrote:

> The issue I'm having is that when using my updated certificates and authenticating my wireless clients via PEAP, some devices such as my Macbook Air (MacOS Mojave) mark the certificates as valid while others, such as my iPhone (iOS 12) mark the certificate as invalid. I believe this issue relates to the root trust certificate?

>What could I do to improve compatibility and prevent this invalid certificate issue for my end users? Could this be solved by using a different certificate provider? such as LetsEncrypt with a public CA?

Yes, you need a root CA that is in the factory OS store on all your devices.  Entrust and GoDaddy are two I know to work widely.

Alternatively you'd need to distribute a .mobileconfig profile with the root CA as a certificate payload (for Apples, and then you'd need something else like CAT for Windows and an MDM-like solution for Androids.)  But if you can get your users to do that, you could go with a private root and be better off overall.