10.2.0.0 build 189 AD for 802.1x EAP w/ WPA2 Encryption - iOS byod unable to join

  • 1
  • Question
  • Updated 1 month ago
  • Acknowledged
I am experimenting with using AD for 802.1x as an authentication option as it would allow me to get away from using Windows NPS as Radius. I have successfully configured the AAA Server and SSID and can authenticate both Windows and Android devices, however iPad 12.0 iOS (I do not have any other devices to test with, so problem could be limited to this or, possibly, unlimited) appear to successfully authenticate (receive no errors at AD or in ZoneDirector troubleshooter) but a message displays that the device was unable to join. I, initially, thought it may have something to do with MFP settings, however, changing those did not appear to fix the issue, nor did switching between strict AES or Auto (TKIP+AES) help.
Photo of Garrett Collier

Garrett Collier

  • 23 Posts
  • 2 Reply Likes

Posted 12 months ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 3069 Posts
  • 442 Reply Likes
I'd compare logs from a working client and an Apple, and you might see where a response wasn't received, or...
Photo of murimig

murimig

  • 7 Posts
  • 0 Reply Likes
Hi Garrett,

Could you please point me in the right direction with the AD for 802.1x settings specifically 'server device name'.

I am stuck at this point.I hope you resolved your issues.
Photo of Garrett Collier

Garrett Collier

  • 23 Posts
  • 2 Reply Likes
This was a while back, so my memory is a bit fuzzy on what the solution actually was. I believe the issue was due to the IOS device not trusting the certificate from our NPS server due to it using the machine name and not FQDN. -We use wildcard certs, so this was not something that would work for us.

Can you specify where at you're seeing a field for 'server device name'? Is that when you're setting up the AAA server on zone director or are you in MS NPS?
Photo of murimig

murimig

  • 7 Posts
  • 0 Reply Likes
Yes, i am seeing this when setting up an AAA server, specifically type 'AD for 802.1x'
Photo of Garrett Collier

Garrett Collier

  • 23 Posts
  • 2 Reply Likes
That would be your domain controller's FQDN.