Security

Reply
Contributor II
Posts: 87
Registered: ‎04-09-2007

Trouble with clients accepting a 2048 bit cert for WPA2-peap authentication?

Our old 1024 bit cert is expiring - but we've gotten on 6.1.3.2 code so I can use my new 2048 bit cert - all looked good - but I've got a population of devices running windows 7 - they appear to have default configs - but do not prompt the user to trust the new cert.

 

I've been using our new 2048 bit cert on our radius servers for eduroam for the past year - attempting to join and setup wireless profile on these devices for eduroam - fails - don't get prompted to trust the cert...

 

My similarly configured win7 device - has no issue - so I'm starting to suspect that for some reason the failing devices are having issues accepting a 2048 bit cert?

 

Is there an easy way to confirm this from the controller.

 

using aaa tracebuf - I can see the eap termination is failing... ie not progressing to actual radius calls...

 

Sep 14 12:37:39 station-up * 60:67:20:02:13:da 00:24:6c:80:2c:3a - - wpa2 aes
Sep 14 12:37:39 station-term-start * 60:67:20:02:13:da 00:24:6c:80:2c:3a 48 -
Sep 14 12:37:39 eap-term-start -> 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap - -
Sep 14 12:37:39 station-term-start * 60:67:20:02:13:da 00:24:6c:80:2c:3a 48 -
Sep 14 12:39:10 station-term-end * 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap 3 - failure
Sep 14 12:39:10 eap-failure <- 60:67:20:02:13:da 00:24:6c:80:2c:3a/1x-ap - 4
Sep 14 12:39:10 station-down * 60:67:20:02:13:da 00:24:6c:80:2c:3a - -

 

Is there some other debug  option to get more details on the specific failure - 

 

or other people have run into devices that have trouble accapting 2048 bit certs?

Contributor II
Posts: 87
Registered: ‎04-09-2007

Re: Trouble with clients accepting a 2048 bit cert for WPA2-peap authentication?

OK, I found a specific issue.

 

I'm using certs via incommon.org - these exist under comodo's AddTrust CA - which is well trusted and things seemed fine.

 

So I got a new cert and just installed that cert onto the controllers - It worked fine for all my test devices - so I didn't bother to craft a full cert-chain pem file since it didn't seem to be needed....

 

Well windows 7 64bit in particular is not happy with this and silently ignores/rejects the new cert - ie no notification to the user.

 

Installing a full cert-chain pem file and now windows 7 64bit behaves like everyone else - and users are asked to trust the new cert as expected and all is good with the world (except they're still using windows7).

 

So that's what I get for not using a full cert chain....

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: