Jump to content



Photo

  • Please log in to reply
3 replies to this topic

#1 #Michael

#Michael

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 28-August 01

Posted 17 September 2013 - 18:59

We are in the process of a POC project of migrating our iOS devices from a wpa2 ssid to a wpa2 enterprise cert based ssid.  Using our mdm platform, we are going to send out the new profile that will contain the ssid and cert.  But iOS will not automatically connect to a new network the first time...a user must tap on the network to connect to it.  After that it will auto-join to it when the network is in range.  But we want it to be a silent switch over with no user interaction.  I consider this to very similar to how iOS devices use the 'attwifi' ssid.  They auto connect with no user interaction.  Any idea how?  I found the carrier apn on the internet:

<key>attwifi</key>
		<dict>
			<key>AuthMethod</key>
			<string>WISPr</string>
			<key>AuthenticationRealm</key>
			<string>attmobilityiphone.com</string>
			<key>Password</key>
			<string>%attmd5%</string>
			<key>SharedSecret</key>
			<string>a446649326d41d87dbb8caec8caf736a</string>
			<key>TrustedDomains</key>
			<array>
				<string>.wayport.net</string>
				<string>.att.net</string>
				<string>.att.com</string>
				<string>.sbc.com</string>
			</array>
			<key>UserName</key>
			<string>%phonenumber%</string>
		</dict>
	</dict>

I was thinking that it could just be modified for our purposes and then pushed out as a custom profile through our mdm.  Would that work?




#2 OP #Michael

#Michael

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 28-August 01

Posted 18 September 2013 - 01:09

Anyone?



#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 21 September 2013 - 13:46

If you turn off the old one.. They will have to connect to the new one ;)  I don't see how a click to connect is worth your time and effort to be honest.  It will take the user like .2 seconds -- do they not move between networks all the time as part of their normal use of said IOS device?

 

Normally they are mobile devices and come in contact with multiple wifi networks that are used - I don't see how having a user click connect one time is a topic for discussion in a migration to a new more secure more robust system?

 

So your using EAP-TLS, pushing out individual certs to each client is quite a bit of logistics -- I would think that 1 user click, and actually this could be used as good security promotion thing - letting the users know your using a new more secure model, etc.



#4 OP #Michael

#Michael

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 28-August 01

Posted 24 September 2013 - 19:01

The process that we have come up with is this:

 

1. Using our mdm platform we are going to push out the new wifi profile that contains the cert

2. Once it is confirmed that the ipad has received the new profile we will use the mdm to remove the old wifi profile

3. The ipad should now jump over and automatically connect to the new wifi network as the cert has been automatically added into the ipad keychain

 

Now we have confirmed that this works on an ipad 2 running OS 6.1.3 and 7.  But it doesn't seem to want to work on OS 5.1.1.  The reason we are testing on 3 different versions is because we have all 3 out in the field and we have to support them.  I cannot figure out why this won't work on 5.1.1.  It could be because the only devices that we have available to test with that have 5 on it are original ipads.  Did Apple change the wifi antenna with the ipad 2 and above that would cause it work with the ipad 2 but not the original ipad?