Security

I am trying to setup my AP-93 to use AD credentials, without having to provide certificates to the end user device. (I'm assuming EAP-PEAP is what I'm wanting to use). The problem is, during this process I've uploaded some certificates into the device and I don't see a way of just removing them.

 

Now I know I could just reset the device to factory settings, but I'm trying to find a better way to do it, so if I have to deal with certificates again, i'm not having to completely reset the device everytime. I've been trying for days to get this to work....

 

I work in the (IT dept for) medical sales field, and we are wanting to create a way for our employees to log their guests onto our WiFi with their AD credentials, without having to purchase a public certificate. It's more of a courtesy thing. Also, so employees can log on with their phones/laptops/etc, and be able to surf the net, and we can monitor usage.... That sort of thing.

 

Any help is greatly appreciated.

Even with EAP-PEAP, there is still the server certificate to contend with.  That shouldn't be an issue with most devices but some Windows OS's need the "Validate Server Certificate" unchecked in the supplicant settings.

 

When you mention deploying certs to the devices, what exactly are you talking about?  

---

@SethFiermonti wrote:

Even with EAP-PEAP, there is still the server certificate to contend with.  That shouldn't be an issue with most devices but some Windows OS's need the "Validate Server Certificate" unchecked in the supplicant settings.

 

When you mention deploying certs to the devices, what exactly are you talking about?  

---

I was talking specifically about the Windows devices. The problem is that we would have to use a self signed certificate and uncheck that "Validate Server Certificate". That is a problem because the IT department would be the ones that would have to set that up, and that means manually inputting the connection before we could change that setting. Most of the time we never see the guest and it's all about appearances here. We're looking for a solution that is nearly seamless.

 

If I can't do it without the certificate issue, perhaps there's another method to get the same end result? Basically I just want to have people be able to sign their guests into the WiFi and monitor usage. Obviously I know how to set most of it up, it's the connection part that's getting me. Perhaps I need to explore open source LDAP alternatives. Any suggestions?

 

Oh, also, how do I clear the certificates I already uploaded in it, without having to factory reset the device?

Have you considered a guest ssid with visitor usernames and passwords.  Either use ClearPass Guest for this or the embedded captive portal and guest provisioning within the controller.

Do you have a good place for me to look into this more? Maybe that will work. Can Clearpass pull information from our domain controller? They really want some form of Radius authentication for central administration, so this might not be an option, but I'll at least look into it. Thanks.

ClearPass can certainly be joined to the domain but guest accounts are usually NOT domain accounts. ClearPass itself can self-register (which can be sponsored by an employee) guests and both create, expire, and set passwords automatically. No AD required!

Awesome. Thank you. I'll look into clearpass as the solution.....

If you know the Aruba SE, have them in for a demo of the system.  Check out our website as well for more info.  It's a really slick system.  Also...don't forget the kudos :)