So we are getting this prompt to verify the certificate that is used to connect to the corporate WiFi.
It has happened on devices that were already using that network before the upgrade to Big Sur, and also to devices that are connecting to it for the first time.
We verified and the RootCA that is part of the trust was already in the Keychain, added with a config profile.
So I have two questions:
Do your certificates meet the requirements outlined in Apple's Requirements for trusted certificates in iOS 13 and macOS 10.15?
• RSA Key Sizes ≥ 2048 bits
• SHA-2 hash signatures
• DNS name of server in Subject Alternative Name extension
• Server cert contains ExtendedKeyUsage extension containing id-kp-serverAUTH OID
• Server cert valid for ≤ 825 days (Your expiration date appears to be beyond this date)
We are also seeing the same things, the certs work fine without user interaction in 10.15 but in 10.16/11.x user now needs to select wifi and then auth as admin to trust cert twice to connect, same cert that works in 10.15 so does meet requirements. this will be an issue for those returning to office on Big Sur and whenever machine certs renew every year
Are you deploying the server-cert or are you just relying on the trust chain? We had similar issues since iOS 13 so we are deploying the server-cert together with the other radius information and selected it under "Trusted Certificates". Had no issues with this in Big Sur so far (11.0.1).
Has anyone found another solution besides hard-coding the server certificate? If we have to include the cert file in the SCEP profile with our network configs, that means we are now bound by that certificates expiration date when it comes to renewals, and we have to redeploy the profile to all 10k Macs when we renew the server cert. So even if a device was provisioned the day before, it's getting a new profile and machine cert. Our team managing the SCEP server will freak out if I tell them I need to issue 10k certs all at once.
And since wired 802.1x requires the ethernet dongle to be attached, if we push the profile when it's not connected, that breaks Ethernet for that device.
I don't understand why setting the trust for the server cert on the System keychain isn't working. Is anyone having a better experience here?