Wireless Access

Hi,

 

Question regarding the CPPM certificate installation.

 

We are using CPPM for 802.1x authentication. As the self-signed certificate is about to expire soon we are planning to replace it with a public certificate signed by a CA (globalsign). When we have tested this over the weekend, we found the client machines were prompted to click "connect" or "accept" on windows and iPhone respectively. There are couple of questions that I have,

 

1. Do we get this one time popup even for the signed public certificate? Is there a way to avoid this?

 

2. One thing that I observed was, though the public certificate was listed in the trust list (Administration -> Certificates -> Trust List) on CPPM but it was not enabled. Do we have to enable it? Does this have anything to do with the prompt we got as explained above? Also do we have to add any intermediate certificate to the trust list and enable them as well?

 

Please let me know if you need more information.

 

Any suggestions would be greatly appreciated.

 

Thanks,

Kumar

The certificate prompt on clients is a normal part of the 802.1X/EAP process. The dialog box is asking the user if they trust the authentication server to take their credentials for that particular network.  The only way to bypass the prompt is to pre-configure clients using a management tool like Group Policy/Profile Manager or BYOD tools like QuickConnect or Onboard.

 

While that error doesn't have anything to do with the CP trust list, you should enable the entire trust chain anyway.

Hi Tim,

 

Thanks for the quick response. You have answered my question.

 

One more thing that concerned me was, when it prompts on iPhones it reads as :Not Verified" in red. any idea why this would happen.

 

Also, what would happen if I donot enable it in the trust list? I was still able to connect.

 

Thanks,
Kumar

Not Verified just means that the server's certificate has not been pre-trusted for connection to the network. This is normal for the first time a user connects.

 

You likely have enabled the Root or intermediate CA that signed the public certificate which is fine.

I have just checked CPPM, most of the certs on Trust List are disabled except a very few which are enabled. Out of which Global sign is disabled.

 

C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA

valid

Disabled

 

Thanks,

Kumar

Did your server certificate have the trust list embedded?

You can check this by looking at the certificate under the Certificates menu. If you see all 3, then the full trust was included in the certificate file.

Yes, If I am getting this right, when I go to the Server Certificates under certificates menu on CPPM, I did see server cert, intermediate cert and the root ca cert. Is this what you are refering to?

 

Yes, you should be all set then.

Thanks a lot for answering all my questions. I really appreciate it.

 

Thanks,
Kumar