Security

Hello all,
We are looking for some insight on setting up authentications for Windows (and MAC and iPad) clients using 802.1x and WPA2, but not have to have clients alter many settings within Windows 7 or XP SP3, or have MAC users accept the cert from an 'untrusted' server. We are looking at utilizing a certificate from goDaddy as opposed to one we generate ourselves as we are doing now, but our Windows and IAS admins are not entirely sure where the certificate needs to be installed amongst the Domain servers to operate the way we would like.
We took a brief look at serveral other schools and it appears they are also providing instructions for their Windows clients to go into the network settings and uncheck a long series of boxes, just hoping to find a way around this if possible.

Thanks for your attention, feel free to post or email if you have any suggestions or experience in this area.

Mike Pasquerette
IT Dept
Hood College, Frederick MD
mpasquerette@hood.edu

Not having users with devices who are not on your domain have to click on "Accept" at the Certificate screen is a moving target, and likely you will NOT be able to find a provider that is trusted by all devices. You could purchase from a Verisign or a GoDaddy and get them to promise that will not happen, but all devices created do NOT trust any one certificate authority out the box. You will always have the issue of them not trusting your cert, whether you generate it internally or not.

With that out the way, if you are using Microsoft IAS or Windows 2008 NPS as the radius server, the certificate that you install gets installed on the Radius server, and must be referenced in the remote access policy that is allowing wireless on that Radius server. A document on how to setup IAS is here: http://airheads.arubanetworks.com/vBulletin/attachment.php?attachmentid=471&d=1315296390

Aruba has an autoconfiguration application that will setup wireless parameters for Windows XP, Vista, and 7. If you login to support.arubanetworks.com and go to Tools and Resources> Aruba wifi Config

What if the plan is to create a completely segregated SSID where most of the users trust the certifcate?

 

What we're trying to do in our scenario is to use WPA2/AES with RADIUS and have domain users connect with non-domain devices, but I don't want them to have to click Accept when the certificate warning pops up.  I know not all devices will trust it, but if I can at least get the major ones like Windows and Mac that would be good.

 

Right now we're using a Windows 2008 R2 domain member server, running NPS & IIS.  We generated a CSR using IIS directly on the server , had it signed by Thawte, imported it, had RADIUS push it out to clients, which is working, but is still showing up as 'not verified' by every client I've tried.

 

Am I missing something?  Thanks.

Is the specific Thawte Certificate CA listed as a trusted CA in the Trusted Certificate Stores of those devices (mac keychain)?  You might want to send an email to Thawte support to get their opinion about that specific certificate.

 

I'm not sure about the cert being in the Trusted Cert Store in the Mac keychain, but it is in the trusted list when looking at it on a Windows PC.

 

I can't seem to find an answer on the web for this type of cert request, even our web guy has only every requested certs for a specific URL or web site, which isn't really what this cert will be used for.  Can this even be done?

Is it the exact same CA as the one issues by Thawte?

 

I apologize it's actually GeoTrust Global CA, not Thawte, but yes, it is listed in the Trusted Certificate Authorities list on the server.

I have logged into support and looked under tools&resources and could not find the tool for autoconfiguration of clients.

Please advise how to find it?

thanks

Unfortunately, that tool is no longer on the website.  It has not been updated since Windows XP and it does not work with Vista and Later Windows devices.