Security

Reply
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: 802.1x and signed certificates

I'm going to start out by saying that this is a bumpy road.

 

We use a WLAN cert from Verisign. Only some devices show it as verified. It all depends on the device's OS, as to whether or not a valid cert will show up as valid during 802.1x authentication.

 

Here's what I've seen so far:

Valid:

Android

OSX Lion

 

Unable to verify:

iOS

Windows

 

It is very odd. If you do some searches on it, you will find that most places (I'm in EDU, so lets just say Universities) tell the user to visually verify that the chain is correct.

 

So, the moral of the story is, don't waste your time banging your head against the wall if it shows up as "unable to verify" or "unverified" on the device. That being said, I would stick with someone like Verisign. The WLAN cert price is very reasonable.

 

Zach

Thanks,

Zach Jennings
Contributor II
Posts: 40
Registered: ‎03-05-2010

802.1x and signed certificates

Right now our RADIUS server points to our CA which has a self-signed certificate that is fine for users connecting with corporate devices, because we can push our self-signed certificate out to them.

 

However, I'm toying with the idea of settings up 802.1x using RADIUS for users bringing in personal devices, but they need to see the certificate as one signed by a trusted CA (Thawte, VeriSign, etc).

 

Any idea on how to do this without breaking our existing CA?  Can I just create a new stand alone CA and somehow import a signed certificate into it, and have the RADIUS server point to that one?

 

Maybe the only way I can do it is to have the Aruba controller do the termination and install the signed certificate on that instead?

Community Manager
Posts: 403
Registered: ‎04-02-2007

Re: 802.1x and signed certificates

@ mmeyer

 

Sorry for the re-ordering Mike. Moving under Authentication and Access Control forum for better visibility. 

 

 

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: 802.1x and signed certificates


ozwifi wrote:

@ mmeyer

 

Sorry for the re-ordering Mike. Moving under Authentication and Access Control forum for better visibility. 

 

 


I was wondering why my response appeared before the original question. :robotwink:

 

Zach

Thanks,

Zach Jennings
Contributor II
Posts: 40
Registered: ‎03-05-2010

Re: 802.1x and signed certificates

Thanks Zach.

 

How did you setup your WLAN cert from VeriSign?  Did you install it onto a CA server in your domain, or did you install directly onto the Aruba controller?

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: 802.1x and signed certificates


mmeyer wrote:

Thanks Zach.

 

How did you setup your WLAN cert from VeriSign?  Did you install it onto a CA server in your domain, or did you install directly onto the Aruba controller?


I installed it directly onto our RADIUS server (Windows 2008 R2).

Thanks,

Zach Jennings
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: 802.1x and signed certificates

I assume you guys are trying to setup PEAP or TTLS based 802.1x networks and the server certificate is giving you the grief. That is interesting that the iOS devices are showing a VeriSign certificate as not verified. I found this link on the Apple site showing the list of trusted CA's in iOS 5 and there are several entries for VeriSign:

 

http://support.apple.com/kb/HT5012

 

We have been working on several projects where we are leveraging the Apple Over-the-Air provisioning API to push the trusted server cert if it coming from a locally signed CA. Not sure if this style of solution would be of interest.

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: 802.1x and signed certificates


-cam- wrote:

I assume you guys are trying to setup PEAP or TTLS based 802.1x networks and the server certificate is giving you the grief. That is interesting that the iOS devices are showing a VeriSign certificate as not verified. I found this link on the Apple site showing the list of trusted CA's in iOS 5 and there are several entries for VeriSign:

 

http://support.apple.com/kb/HT5012

 

We have been working on several projects where we are leveraging the Apple Over-the-Air provisioning API to push the trusted server cert if it coming from a locally signed CA. Not sure if this style of solution would be of interest.


Cam,

Yes, the root and intermediary are trusted by Apple devices. However, for some reason, I believe the iOS devices are trying to do an OCSP or CRL lookup on the cert. Since they are not connected to the network when they get the cert, they cannot verify that the intermediaries or roots are not revoked.

 

As far as being able to push a self-signed cert, that would save us about $600 a year. So, yes, that would be nice. I'm going to guess that would have something to do with Amigopod and the new acquisition (Avenda). But you would need to be able to check if the user failed to connect to the PEAP network do to a cert error and redirect them to the CP with the profile download. Otherwise people would just try to connect to the PEAP and complain when it fails because they don't have the cert.

 

Zach

Thanks,

Zach Jennings
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: 802.1x and signed certificates

Zach,

 

It would be interesting to see if the AuthorityInfoAccess or AIA attribute is set in the certificate you are experiencing issues with as this will potentially define an OCSP URL for revocation checking.

 

Yes, the ability to push a client certificate is part of the Amigopod Mobile Device Provisioning Service (MDPS). The idea is to leverage the contoller device fingerprinting to detect supported devices and then flip their role so the user is forced to enrol the device. The provisioning process can authorize the user against an exsiting user store such as AD and then push a device specific credential such as a TLS certificate. Having a device specific credential such as this will then allow you to revoke network access for that device (say it was lost or stolen) without impacting the user's access on other devices.

 

Cam.

Contributor II
Posts: 40
Registered: ‎03-05-2010

Re: 802.1x and signed certificates

[ Edited ]

Gents,

 

What is the best way to go about getting a signed certificate (not just a self-signed one from your local CA) onto your 2008 R2 server?  Right now my server is a domain member server running NPS, that is all.

 

I loaded up the Certificate snap-in from through MMC and do see the Request Certificate option when I look under Personal > All Tasks menu, is this the proper road to take or is there a better way to do it?

 

Thanks.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: