Security

I'm setting up a Aruba AP-105 Wireless network with 2008 R2 per these instructions http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

On my windows 7 system I can import the cert the Trusted Root Certification but when I open the cert it says "This certificate cannot be verified up to a trusted certification authority".   

I went ahead and configured my client and selected "validate server certificate" and have Authentication Method set to "Secured password (EAP-MSCHAP v2)"  I'm currently unable to connect to the wireless network and receive the following error in NPS logs "The certificate chain was issued by an authority that is not trusted."  When I uncheck the "validate server certificate" I can connect with no issues.

My question is why is this cert not trusted, what could I be doing wrong?  From what I can tell once I get a trusted cert this will work.

Who is the issuing CA for your "untrusted" cert you are using? 

You can do one of the following:

Don't validate the cert.  You have tested this and it works that way. Not the preferred way but will work.

Get a cert from one of the big CA

of you can tell your windows machine that you trust the CA your "untrusted" cert came from. This option would be under the "validate server certificate" there is a list of CA there.  

I'm generating the cert from my 2008 R2 cert server.

If you are part of the domain then there should be an inherent trust of your CA.

If you are not part of the domain then your machine does not trust the CA. You will have to load the complete CA chain.

Either way your machine does not trust the CA. You have to tell your machine to trust your 2008 R2 cert server. 

Can anyone point us to the list of "big CAs" that are by default trusted by Win7 for use in the 802.1x supplicant?

I have had this problem (not valid trust anchor) with our Digicert cert, and the Thawte test cert requires a test root cert... not allowing me to actually test that the users would not be prompted to terminate the connection.

The list is on the  client right under "validate server certificate" I've uploaded a screen capture from my win& box. If it's check its trusted if it's uncheck its not trusted. 

Right, I get that.

I think if a device running Win 7 is connecting to a new SSID, PEAP secured with a cert from a CA in the list of available CAs in the Wifi profile> PEAP settigns, they will by default get the message: (see attachment)

My question is (and maybe also the OPs question): Is it possible to avoid this?  If so, with what CA?  This is a BYOD campus environment, so GPO and/or centralized mgmt isn't really a viable solution.

I looked at Microsoft site trying to fine a list for you,  I could not find one. 

The version of OS and patch level you have are going to dictate the trusted CA's that are preinstalled. I don't have a clean OS install on anything to check for you. 

VeriSign always comes to the top of my list of "big CA's"