AAA, NAC, Guest Access & BYOD

Onboarding fails on Windows 7

by on ‎08-06-2014 08:36 AM

We have a CP 6.2.0.54567 and have loaded a wildcard server cert with the full chain and the intermediate certs are also trusted. 


We can get IOS, Mac-OS and Android devices successfully onboarded and then use EAP-TLS to connect to a Secure SSID. 


All this work fine except for windows devices running Win7 devices that can’t connect after a successful onboard process.

 

 

We had seen this issue when using a wildcard cert and authenticating Windows 7 machines.  We found a note on a MSKB article that said that wildcard certs are not supported for wireless authentication.  The FQDN needs to be included in the SAN.

 

 

 

Microsoft KB814394 states that wireless authentication with 802.1X requires the SAN contain the FQDN.  Since the certificate that is installed is a “Wildcard” Certificate, Windows onboard fails because the wireless device doesn’t trust this type of certificate.”

Please refer : http://support.microsoft.com/kb/814394

Server certificate requirements
You can configure clients to validate server certificates by using the Validate server certificate option on theAuthentication tab in the Network Connection properties. When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, the client accepts the server's certificate when the certificate meets the following requirements:
  • The computer certificate on the server chains to one of the following:
    • A trusted Microsoft root CA.
    • A Microsoft stand-alone root or third-party root CA in an Active Directory domain that has an NTAuthCertificates store that contains the published root certificate. For more information about how to import third-party CA certificates, click the following article number to view the article in the Microsoft Knowledge Base: 295663
 How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
  • The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
  • The computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and it does not fail any one of the requirements in the remote access policy.
  • The name in the Subject line of the server certificate matches the name that is configured on the client for the connection.
  • For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN).
  • If the client is configured to trust a server certificate with a specific name, the user is prompted to make a decision about trusting a certificate with a different name. If the user rejects the certificate, authentication fails. If the user accepts the certificate, the certificate is added to the local computer trusted root certificate store.

It is a server cert validation issue. If we  manually un-check it on the client it will work.

Navigate to "Control Panel\Network and Internet\Network and Sharing Center" and click on "Manage Wireless Networks"

Right Click on the Wireless Network connection which is for the Onboard SSID and go to properties.

 

rtaImage.jpg

 

Click on Settings, and un-check the "Validate Server Certificate" option.

 

rtaImage (1).jpg

 

Save the settings and try to authenticate again. It would work now.

 

 

 

 

Comments
Prestidigitation

This is very insecure and leaves you susceptible to MITM attacks.

martis

what if we have 1000 device and we dont have an active directory to push that configuration via gpo?

what can we do?

thanks

Guru Elite Guru Elite
The solution would be to not use a wildcard cert.
martis

yes, you are right, if we uncheck server validate box , it will work,

my problem is, most of the students device not on the domain , which makes it hard to configure students device via gpo,

 

we have 1000 students, and we cant uncheck that box on each device manully,

how can we solve it?

thank you

Guru Elite Guru Elite
You should NEVER uncheck the box.

The solution is to use a unique publicly signed RADIUS server certificate
martis

i have one, but i dont know how to upload it, and where,

thank you

Guru Elite Guru Elite

server-certificate-location.PNG

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.