Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Trouble with clients accepting a 2048 bit cert for WPA2-peap authentication?

This thread has been viewed 0 times

  • 1.  Trouble with clients accepting a 2048 bit cert for WPA2-peap authentication?

    Posted Sep 14, 2012 03:54 PM

    Our old 1024 bit cert is expiring - but we've gotten on 6.1.3.2 code so I can use my new 2048 bit cert - all looked good - but I've got a population of devices running windows 7 - they appear to have default configs - but do not prompt the user to trust the new cert.

     

    I've been using our new 2048 bit cert on our radius servers for eduroam for the past year - attempting to join and setup wireless profile on these devices for eduroam - fails - don't get prompted to trust the cert...

     

    My similarly configured win7 device - has no issue - so I'm starting to suspect that for some reason the failing devices are having issues accepting a 2048 bit cert?

     

    Is there an easy way to confirm this from the controller.

     

    using aaa tracebuf - I can see the eap termination is failing... ie not progressing to actual radius calls...

     

    Sep 14 12:37:39 station-up * 60:67:20:02:13:da 00:24:6c:80:2c:3a - - wpa2 aes
    Sep 14 12:37:39 station-term-start * 60:67:20:02:13:da 00:24:6c:80:2c:3a 48 -
    Sep 14 12:37:39 eap-term-start -> 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap - -
    Sep 14 12:37:39 station-term-start * 60:67:20:02:13:da 00:24:6c:80:2c:3a 48 -
    Sep 14 12:39:10 station-term-end * 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap 3 - failure
    Sep 14 12:39:10 eap-failure <- 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap - 4
    Sep 14 12:39:10 station-down * 60:67:20:02:13:da 00:24:6c:80:2c:3a - -

     

    Is there some other debug  option to get more details on the specific failure - 

     

    or other people have run into devices that have trouble accapting 2048 bit certs?



  • 2.  RE: Trouble with clients accepting a 2048 bit cert for WPA2-peap authentication?

    Posted Sep 18, 2012 01:13 PM

    OK, I found a specific issue.

     

    I'm using certs via incommon.org - these exist under comodo's AddTrust CA - which is well trusted and things seemed fine.

     

    So I got a new cert and just installed that cert onto the controllers - It worked fine for all my test devices - so I didn't bother to craft a full cert-chain pem file since it didn't seem to be needed....

     

    Well windows 7 64bit in particular is not happy with this and silently ignores/rejects the new cert - ie no notification to the user.

     

    Installing a full cert-chain pem file and now windows 7 64bit behaves like everyone else - and users are asked to trust the new cert as expected and all is good with the world (except they're still using windows7).

     

    So that's what I get for not using a full cert chain....