Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II

802.1x

Hello

 

How do you avoid non-domain clients getting the server certificate warning when connecting to a secure SSID. I am using windows 2012 server. The Mac os devices display the warning but you can still continue to authenticate. Windows computers behave differently depending if it is windows 8 or 7. I have to manually disable validate certificate. Also, sometimes the machine will try to authenticate using local credential first without prompting the user for credential so i have to manually add a wifi profile and select user authentication under advanced settings. I was thinking on using EAP TLS but havent found a way to distribute the Certificate without using clearpass or having host on a web server so users download it and instali it. So my next option was EAP PEAP mschapv2 but you still get the certificate warning even though the server will just validate user and password. I am typing this on a tablet so i appologize for any typos.

 

Thank you

 

 

 

4 REPLIES

Re: 802.1x

Even with EAP PEAP, there is a server certificate involved.  You can try to get your server cert on the RADIUS server to be signed by a public authority like Entrust or VeriSign.  That *should* bypass that validate server cert popup however, depending on the public cert and/or its trust chain, it may not work for all clients.  However, most clients do have several public CAs in their trust list by default.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor I

Re: 802.1x

The only way to avoid the cert warning is to pre-load and trust your eap cert on the client (basically was the domain does for domain joined machines - ie using rules to pre-load and trust the cert (or disable validation..  :o )).

 

The problem is that even if the cert is valid and from a public authority - the eap traffic is layer2 proxied to your radius server - so there is no way for the client to verify it is receiving the cert from the actual system the cert is claiming its from.  

 

So they system needs to ask the user to determine if its ok to trust or not - and that might not be the best discriminator or trust :)

 

 

Guru Elite

Re: 802.1x

The one thing to remember is that the 802.1X standard doesn't particularly care if the certificate is valid or not (from a CRL / OCSP standpoint) for PEAP.

 

When you get that popup on the client, its simply saying, you've never connected to this network (ESSID) and I don't have a configuration for it, do you trust this server (certificate) to send your credentials to?

 

It would be the equivalent of walking into a TD Bank and them handing you a deposit slip with a Bank of America logo. You probably shouldn't put your account number down on that slip since you know you are inside a TD Bank.

 

This was a good chunk of my 802.1X presentation last week at Airheads. Here's the slides:

http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: 802.1x

Tim I assisted your presentation very informative. I work for Nova southeastern university I was able talk with you before you began your presentation
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: