Security

Reply
MVP
Posts: 308
Registered: ‎04-03-2014

EAP-PEAP using public certificates with no warnings

Hi!

Is it possible to achieve no warnings on a 802.1X SSID using EAP-PEAP with a publicly signed certificate on the RADIUS server for all devices? Including macbooks, ios, win8.1 etc? I would want this to be without touching the devices at all or pre-populating the server certificate manually.

 

My experience is that if I use a publicly signed certificate, issued to the hostname of the RADIUS server some devices will accept this without warning the first time but many won´t. For example all apple devices will complain, it will say that the certificate is valid, but that it couldn´t validate it. Of course it´s hard to validate a certificate without being authenticated in the first place.

 

So how do we solve this? Is there a neat trick that I don´t know about? :)

 

Have a great weekend all!

 

 

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: EAP-PEAP using public certificates with no warnings

The short answer is no...

The problem you will also start running into is that most public CA will no long issue a radius cert that is publicly signed as Nov 2015.

Using a cert that is publicly signed is a major security risk and the CAs do not want to be responsible for admins just trying to make it easy on the users. You are opening up you network to a man in the middle attack.

http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html

Michael post some great links from the CAs

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-different-radius-server-cert-for-different-services/m-p/209025/highlight/true#M15933
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 308
Registered: ‎04-03-2014

Re: EAP-PEAP using public certificates with no warnings

I love that blog post, thanks for sharing!

I Guess if you´re facing tons and tons of BYOD, no budget for Onboarding and you want role derivation depending on what type of user is logging in I´ll have to advice a self signed certificate with warnings? 

 

Of course after informing the customer about the potential risk this proposes as per the blogpost. It doesn´t feel very good :/

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: