“Not Trusted” is always shown on iOS if the supplicant is not configured. It has nothing to do with public root trust.
macOS has split EAP trust vs system trusted CAs when displaying the prompt. From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <hf0...@uah.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tuesday, July 31, 2018 at 8:50 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Issues with Windows 10 Because Macs and iPhones allow you to manually verify the certificate hash, which is easier and equally secure to a supplicant utility, so we also support that avenue for configuration. However, if you don't have a public-CA-signed certificate, they display the words "Not Trusted" in red bold letters during the certificate verification process. On Tue, Jul 31, 2018 at 5:30 PM Cappalli, Tim (Aruba Security) <t...@hpe.com<mailto:t...@hpe.com>> wrote: Just curious, for those running a supplicant configuration utility, why are you using a public CA-signed EAP server certificate? On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Charles Rumford" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> wrote: On 07/31/2018 04:18 PM, Michael Dickson wrote: > Hi Charles, > > > What do you mean by "we ended up configuring all of the intermediate certs"? Do > you mean you are now pushing all certs down to the client during the JoinNow > process? Yes. We ended up, just for Windows, pushing all of certs down to the clients. It was the only way we could get the profile to work. > > > We are also running EAP-TTLS/PAP with JoinNow with a cross-signed double > intermediate cert. I haven't heard of any issues yet but want to get in front of > any that might crop up.. > > > Thanks, > Mike > > Michael Dickson > Network Engineer > Information Technology > University of Massachusetts Amherst > 413-545-9639<tel:(413)%20545-9639> > michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> > PGP: 0x16777D39 > > > > -------------------------------------------------------------------------------- > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Charles Rumford > <charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>> > *Sent:* Tuesday, July 31, 2018 12:24 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10 > > On 07/30/2018 01:09 PM, Turner, Ryan H wrote: >> From SecureW2: >> >> The issue is noticed when the RADIUS server cert is signed by AddTrust External CA Root (Cross signed by USERTrust RSA Certification Authority) and with the recent windows 10 update. We are looking into this and should be able to provide you an update. >> > > We ended up configuring all of the intermediate certs, and it solved the problem. > > > -- > Charles Rumford > Senior Network Engineer > ISC Tech Services > University of Pennsylvania > OpenPGP Key ID: 0x173F5F3A (2018/07/05) > > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group > discussion list can be found at http://www.educause.edu/discuss. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/discuss. > -- Charles Rumford Senior Network Engineer ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0x173F5F3A (2018/07/05) ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.