"Verify Certificate" when connecting to corporate WiFi in Big Sur

We're seeing this as well now that we can test some devices in office, though I've not delved farther than the immediate of config profile scoping being correct.

Do your certificates meet the requirements outlined in Apple's Requirements for trusted certificates in iOS 13 and macOS 10.15?
In short:
• RSA Key Sizes ≥ 2048 bits
• SHA-2 hash signatures
• DNS name of server in Subject Alternative Name extension

• Server cert contains ExtendedKeyUsage extension containing id-kp-serverAUTH OID
• Server cert valid for ≤ 825 days (Your expiration date appears to be beyond this date)

We are also seeing the same things, the certs work fine without user interaction in 10.15 but in 10.16/11.x user now needs to select wifi and then auth as admin to trust cert twice to connect, same cert that works in 10.15 so does meet requirements. this will be an issue for those returning to office on Big Sur and whenever machine certs renew every year

Are you deploying the server-cert or are you just relying on the trust chain? We had similar issues since iOS 13 so we are deploying the server-cert together with the other radius information and selected it under "Trusted Certificates". Had no issues with this in Big Sur so far (11.0.1).

The main thing that seems to be sticking out is that on Big Sur, if you expand the Trust section, the certificate is asking to change two values to Always Trust from Use System Defaults.

Has anyone managed to find a fix for this? We are also experiencing the same issue, seems like a server cert is being requested to be verified. We didn't see this with Catalina devices.

Managed to fix this, although the Root & Issuing Cert is trusted, it wasn't selected to be trusted on the network payload within our SCEP config profile. Trusting via config profile and re deploying resolves the issue. Although now i have over 1500 certs to re deploy :(

Has anyone found another solution besides hard-coding the server certificate? If we have to include the cert file in the SCEP profile with our network configs, that means we are now bound by that certificates expiration date when it comes to renewals, and we have to redeploy the profile to all 10k Macs when we renew the server cert. So even if a device was provisioned the day before, it's getting a new profile and machine cert. Our team managing the SCEP server will freak out if I tell them I need to issue 10k certs all at once.

And since wired 802.1x requires the ethernet dongle to be attached, if we push the profile when it's not connected, that breaks Ethernet for that device.

I don't understand why setting the trust for the server cert on the System keychain isn't working. Is anyone having a better experience here?