I've got an on-premises ad domain, with an RRAS server, and I'm trying to deploy VPN configuration to my Azure AD joined iOS devices, by Microsoft Endpoint Manager admin center, but iOS devices keep giving "An unexpected error occured" or "User authentication failed" and I don't know why.
----------
Now I have sent two certificates to my device, denoted by certM and certU.
- certM is a machine certificate, it's subject name is CN={{deviceId}}.mydomain.com. I've also set DNS={{deviceId}}.mydomain.com in SAN
- certU is a user certificate, it's subject name is CN={{OnPrem_Distinguished_Name}}. I've also set User principal name (UPN)={{UserPrincipalName}},DNS={{DeviceId}}.mydomain.com in SAN.
I'm not sure if I should set up certificates in this way.
Both certificates contains Client Authentication in EKU extensions.
----------
Apple does not give information about what authentication protocol they use for IKEv2 in their devices. However, after lots of experiments, I finally figured it out. I record in detail here in case anyone need this.
Since I have no exact idea how intune sets up VPN on iOS and I cannot view the configuration of VPN set by intune on iOS devices, I manually set up a VPN on one of my device and tried all the authentication method which iOS supported. When trying setting up an IKEv2 VPN, iOS offer three authentication method (or "User Authentication", in iOS UI): None, Certificate, and Username.
- When use "None", I can further let iOS use a certificate, and both certM and certU makes the VPN work. It turns out that iOS use Machine Certificate Authentication in this case, so RRAS won't send authentication request to NPS. In this case, I do not need to set a local identifier in iOS. Actually, I think the information (CN or SAN) in the certificate does not matter in this case as long as it is issued by my CA.
- When use "Username", iOS uses EAP-MSCHAP v2. The VPN also works in this case. However, obviously I cannot send username and password to iOS devices by intune.
- When use "Certificate", iOS uses EAP-TLS, and problems occur.
(i) If I choose certM, then the connection just fails, since iOS use EAP-TLS and NPS would not accept DNS, DeviceID, etc. Very sensible.
(ii) If I choose certU, then:
(a) I may use UPN or on-premises distinguished name as the local identifier in iOS, but I cannot leave the local ID field empty, otherwise NPS cannot identify the user and refuse to connect;
(b) certU have to contain UPN as an SAN;
(c) the subject name of certU cannot be CN={{UserPrincipalName}}. Currently, CN={{OnPrem_Distinguished_Name}} works so I didn't try other possibilities.
If any above condition is not met, the connection fails.
----------
I created a profile in intune, setting certificate to be certU and subject name to be common name, with encryption method AES256, SHA256, Group14, AES256, SHA256, Group14, which is the same as my server's configuration (AES256, SHA256, Group14, AES256, SHA256128, PFS2048). I think this profile is the same as 3.(ii) above. However, iOS complains User authentication failed, and RRAS log says that UserName: <Unauthenticated User>. Negotiation timed out. What's the difference between intune profile and my manually set up VPN 3.(ii)? Why 3.(ii) connects but intune fails?
Should I set local identifier to be UPN in intune configuration profile? But how? as you only support subject common name and fqdn (which iOS devices do not have, as indicated in microsoft document)? add CN={{UserPrincipalName}} to certU?
Why you offer FQDN as a local identifier option in intune, provided that iOS devices have no FQDN?
Or iOS devices may have deviceName as FQDN? then what would happen when deviceName contains special characters such as ', ", or space?
----------
By the way, does anyone knows how to format a multi-level list here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 42%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)