802.11 Client Device Interoperability

Reply
Occasional Contributor II

Trust settings on Verisign certs

We have Verisign Class 3 WLAN Secure Server cert for our radius cert. The problem is that on every OS except Linux we get a popup asking us if we want to accept the trust certificate. Is there a way around that? Here is the popup for windows XP: 49
Moderator

Re: Trust settings on Verisign certs

I believe if you pre-configure the CA and the name of the RADIUS server in the client's 802.1x setup window, you won't get prompted to authorize the server. So you need two things:

- In "Connect to these servers", check the box and type in the name(s) of your RADIUS server. It needs to match the CN inside the certificate.

- In "Trusted Root Certification Authorities", put a checkbox next to the appropriate one for Verisign.

Typically if the user is prompted to trust the CA, and they say "Connect", Windows will automatically configure the above settings for you. So you can avoid the confirmation by doing it ahead of time.

-Jon
---
Jon Green, ACMX, CISSP
Security Guy
Occasional Contributor II

Re: Trust settings on Verisign certs

Hmm, ok that brings me to my next question. I turned off verify server cert in the Aruba WiFi Auto config, and I don't get the box. What about OSX?
Moderator

Re: Trust settings on Verisign certs

Turning off "verify server cert" will certainly get rid of the message - it also allows anyone to come in and claim to be your network and your RADIUS server, and fool clients into providing their credentials. The clients can also be lured onto an attacker's own network where they control DNS, DHCP, etc. and can do other badness to someone. So it's a very bad idea to turn that option off - it is one half of the mutual authentication provided by 802.1x.

Not sure about OSX.. I have not been a Mac guy since System 7 and I'm afraid it left a bad taste in my mouth. :)
---
Jon Green, ACMX, CISSP
Security Guy
Occasional Contributor II

Re: Trust settings on Verisign certs

Thanks for the help. Just wanted to see what it would do for testing purposes.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: