Tim, I verified the behavior you mentioned, on my iPhone running iOS 11. I found a co-worker who still has iOS 10, and that is where I was remembering that behavior from. I had no idea it had changed, so thank you for the heads up - we will need to update our documentation.
-hf On Tue, Jul 31, 2018 at 7:59 PM Cappalli, Tim (Aruba Security) <[email protected]> wrote: > “Not Trusted” is always shown on iOS if the supplicant is not configured. > It has nothing to do with public root trust. > > > > macOS has split EAP trust vs system trusted CAs when displaying the prompt. > > > > > > *From: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > [email protected]> on behalf of Hunter Fuller < > [email protected]> > *Reply-To: *The EDUCAUSE Wireless Issues Constituent Group Listserv < > [email protected]> > *Date: *Tuesday, July 31, 2018 at 8:50 PM > *To: *"[email protected]" < > [email protected]> > *Subject: *Re: [WIRELESS-LAN] Issues with Windows 10 > > > > Because Macs and iPhones allow you to manually verify the certificate > hash, which is easier and equally secure to a supplicant utility, so we > also support that avenue for configuration. However, if you don't have a > public-CA-signed certificate, they display the words "Not Trusted" in red > bold letters during the certificate verification process. > > On Tue, Jul 31, 2018 at 5:30 PM Cappalli, Tim (Aruba Security) < > [email protected]> wrote: > > Just curious, for those running a supplicant configuration utility, why > are you using a public CA-signed EAP server certificate? > > > On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Charles Rumford" <[email protected] > on behalf of [email protected]> wrote: > > On 07/31/2018 04:18 PM, Michael Dickson wrote: > > Hi Charles, > > > > > > What do you mean by "we ended up configuring all of the intermediate > certs"? Do > > you mean you are now pushing all certs down to the client during the > JoinNow > > process? > > Yes. We ended up, just for Windows, pushing all of certs down to the > clients. It > was the only way we could get the profile to work. > > > > > > > We are also running EAP-TTLS/PAP with JoinNow with a cross-signed > double > > intermediate cert. I haven't heard of any issues yet but want to get > in front of > > any that might crop up.. > > > > > > Thanks, > > Mike > > > > Michael Dickson > > Network Engineer > > Information Technology > > University of Massachusetts Amherst > > 413-545-9639 <(413)%20545-9639> > > [email protected] > > PGP: 0x16777D39 > > > > > > > > > -------------------------------------------------------------------------------- > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv > > <[email protected]> on behalf of Charles Rumford > > <[email protected]> > > *Sent:* Tuesday, July 31, 2018 12:24 PM > > *To:* [email protected] > > *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10 > > > > On 07/30/2018 01:09 PM, Turner, Ryan H wrote: > >> From SecureW2: > >> > >> The issue is noticed when the RADIUS server cert is signed by > AddTrust External CA Root (Cross signed by USERTrust RSA Certification > Authority) and with the recent windows 10 update. We are looking into this > and should be able to provide you an update. > >> > > > > We ended up configuring all of the intermediate certs, and it solved > the problem. > > > > > > -- > > Charles Rumford > > Senior Network Engineer > > ISC Tech Services > > University of Pennsylvania > > OpenPGP Key ID: 0x173F5F3A (2018/07/05) > > > > > > ********** > > Participation and subscription information for this EDUCAUSE > Constituent Group > > discussion list can be found at http://www.educause.edu/discuss. > > > > ********** Participation and subscription information for this > EDUCAUSE > > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > > > > -- > Charles Rumford > Senior Network Engineer > ISC Tech Services > University of Pennsylvania > OpenPGP Key ID: 0x173F5F3A (2018/07/05) > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > -- > > > > -- > > Hunter Fuller > > Network Engineer > > VBH Annex B-5 > > +1 256 824 5331 <(256)%20824-5331> > > > > Office of Information Technology > > The University of Alabama in Huntsville > > Systems and Infrastructure > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
