Wireless Access

Reply
Contributor I
Posts: 45
Registered: ‎09-11-2010

Does anyone know how can I protect PEAP without validate server certificate on client side?

Hi All,

Does anyone know how can I protect PEAP without validate server certificate? Because of in my customer site didn't deploy RootCA and he already disable validate server certificate on client machine for all user.

 

Thanks in advance 

Regards,

 

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Does anyone know how can I protect PEAP without validate server certificate on client side?

There is no way to do that without "Validate Server Certificate".  What CA issued the radius server certificate?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 45
Registered: ‎09-11-2010

Re: Does anyone know how can I protect PEAP without validate server certificate on client side?

Hi Colin,

 

Thanks for quick reply.

I use selfsign CA to signed radius server certificate. 

 

In this case if I have Airmonitor it can help or not ?

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Does anyone know how can I protect PEAP without validate server certificate on client side?

aakmit,

 

I am probably not answering your question.

 

What problem are you trying to solve?

 

If you have WPA2-AES-PEAP installed, you are using encryption on your clients.  If those same clients do not have "Validate Server Certificate" checked, they can be easily lured to an access point that broadcasts the same name, because the clients are not checking  to make sure they are attaching to the correct WLAN.

 

What would Air monitors do in this situation?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 45
Registered: ‎09-11-2010

Re: Does anyone know how can I protect PEAP without validate server certificate on client side?

Hi Colin,

 

Sorry for my question not clear enough.

Actually, I need to protect corporate wlan from unauthorized AP which broadcast the same corp SSID.

 

In case someone setup AP with the same corp SSID to sniff user credential. If client machine didn’t check validate certificate is it possible to protect client connect to unauthorized AP with airmonitor?

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: Does anyone know how can I protect PEAP without validate server certificate on client side?

You can do that if you have the RFprotect license installed on the controller using Air Monitors, yes, but it will cost you in hardware to deploy Air monitors.

 

The best way to deal with this is to install an Enterprise CA in the domain:  The clients will all trust this server and then you can issue a server certificate to your Radius Server that your clients will trust.  After doing that you can setup a group policy that configures the WLAN of those clients where "Validate Server Certificate" is enabled.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: