Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎11-13-2012

Validate Server Certificate

Hi guys. We have dot1x authentication against a Radius server. There is no termination enable in controller. Customer will need to manually create a wifi profile in their pc, and uncheck the validate server certificate. There are a question from customers;

 

1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

    What was the actual process that happen when no "validate server certificate" in wifi profile?

2. What will happen on the window client when the radius renew the server certificate:

                A) with “validate server certificate” checked

                B) without “validate server certificate” checked.

 

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Validate Server Certificate

Is your cert signed by a public or private CA.?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Validate Server Certificate

[ Edited ]

You should not uncheck the "validate server certificate" option.  Although it may solve your connectivity problem, it is good practice to validate and trust the server's idenity (via the certificate).

 

You should have each client trust the certificate.  The process to do it varies slightly whether it is a public certificate, self-signed, or Active Directory Certificate Services certificate.

 


 

1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

----because your client does not have it in its list of trusted certificate authorities; so unchecking ignores this.

    What was the actual process that happen when no "validate server certificate" in wifi profile?

----client ignores the certificate presented by the RADIUS server

2. What will happen on the window client when the radius renew the server certificate:

                A) with “validate server certificate” checked

----Depends on the where the certificate was issued from.  It would need to be reloaded to the clients; but again the process may vary.   Domain joined machines can have these settings pushed out through Group Policy; including the trusted certificate.

                B) without “validate server certificate” checked.

----Nothing; but again, you should enable this feature

 

 


 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Validate Server Certificate

From a security standpoint, not validating the server's identity is worse than using an open network.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎11-13-2012

Re: Validate Server Certificate

[ Edited ]

Tim, it is private cert.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Validate Server Certificate

Then you would need to manually install the root (signing) CA on the device, use group policy to push it out, or use a tool like QuickConnect to install it.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎11-13-2012

Re: Validate Server Certificate

Clembo

      Refer to item 2,a) with "validate server certificate" checked, with no GPO and domain PC.

                                   what would happen to client if server certificate is renewed at radius as per the following scenario:

                                      i) nothing is checked except "validate server certificate"

                                    ii) with "connect to these server" checked with server name and no check at trusted root certificate authorities

                                           additional condition: a) pointing to right radius

                                                                            b) pointing to incorrect radius

                                  iii) with  a few trusted root CA checked; "connect to these server" unchecked

     

         Appreciate your answers.

Search Airheads
Showing results for 
Search instead for 
Did you mean: