06-25-2013 10:00 AM
I am having an issue with my controller where I put the certificate of my NPS server in the AAA profile, and attempt to connect via PEAP to the wireless network. I go through the steps to connect and it tells me that the server can't be identified. I know this is incorrect because I took the server authentication certificate and put it on the default website in IIS and verified that I get no errors when browsing to the site. I viewed the thumbprint of the certificate I was being presented and it matched an older certificate that I was using that in fact wasn't signed. Have any of you seen this before?
The only thought that I have is that the certificate being presented by the AAA profile isn't being presented at all, and it is going directly to a self-signed certificate by the local server... If this is the case, how can I fix that?
Thanks in advance.
06-25-2013 10:11 AM - edited 06-25-2013 10:14 AM
06-25-2013 11:49 AM - edited 06-25-2013 11:50 AM
I didn't have it enabled. I switched it on and I still get an error that the server cannot be identifed. I did verify though, that the correct certificate thumbprint is coming through now.
I went in to my certification authority and verified the certificate is still active and valid. Any ideas? I checked my PC's trusted root CA's and the ADCS server is in that list. Like I said, the certificate is valid when I browse to the local server through a web browser... Would it be smarter to figure out how to load that signed certificate directly on to the server, rather than terminating at the controller?
Thanks for your help.
06-25-2013 12:19 PM - edited 06-25-2013 12:20 PM
You will always get the trust dialog on Windows, Mac and iOS if you have not configured the client to trust the CA for that connection. If the thumbprint matches, then that dialogue is expected. It is just saying that the certificate hasn't been explicity trusted for that SSID.
06-25-2013 12:23 PM - edited 06-25-2013 12:25 PM
Thanks for the resposne. Just to make sure I understand: I need to send out the connection info for this SSID via group policy or another method, and set this specific SSID to check against the internal CA, considering that the CA is already in the trusted certification authority store on my computer?
06-25-2013 12:28 PM - edited 06-26-2013 06:07 AM
Even if the device trusts the CA, the certificate trust is configured per connection (SSID). You can configure group policy to push out the 802.1x supplicant config that will trust your certificate for the network. See my post in the following thread: