802.1X Wifi Configuration Profile No Certificate

dtmille2
Contributor II

Hello,

Traditionally our iOS devices that are managed by Jamf use a wifi configuration profile that contains the certificate that allows them to connect to our college's 802.1X EAP-PEAP network.

However, I have noticed that if the certificate is taken OUT of the wifi configuration profile, as long as the certificate common name under Network Security Settings is maintained, the iOS devices are still able to connect.

This was a surprise to me and our network engineer. Is this expected behavior?

1 REPLY 1

dtmille2
Contributor II

As a followup to my post, I think this snippet from the Apple help article, https://help.apple.com/deployment/ios/#/apd7b6d34790, might explain the behavior:

"Trust: Trusted Certificates: If the RADIUS server’s leaf certificate is supplied in a certificates payload, the administrator can select it here. This configures the client supplicant to connect only to an 802.1X network with a RADIUS server presenting one of the certificates in this list. Trusted Server Certificate Names: Use this array to configure the supplicant to connect only to RADIUS servers presenting certificates that match these names. This field supports wildcards; for example, .example.com expects the certificate common names radius1.example.com and radius2.example.com."

I take this to mean that when setting up a wifi configuration profile for my devices in Jamf, I can either include the certificate itself in the profile, OR I can use a Trusted Server Certificate Name, as an alternative to using the certificate itself.

Can anyone confirm that I am correct in my understanding? If so, it would explain what I am seeing.