Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Radius Certificate

This thread has been viewed 27 times
  • 1.  Radius Certificate

    Posted Jun 08, 2021 04:28 PM
    Has anyone every got a public cert to work so the client does not have to manually trust the cert?

    ------------------------------
    Gary Naeger
    ------------------------------


  • 2.  RE: Radius Certificate

    Posted Jun 09, 2021 02:41 AM
    Hi Gary,

    What EAP method do you use? Please note that a public certificate always have to be trusted by your client. Yes the public CA certificate is probarly in the trust store of the client, but because the client not "ask" for the certificate, it still have to be validate by the user.

    Example:
    If your client browse to https://cnn.com, the client "ask" for that DNS name cnn.com, the webserver send you the cnn.com webserver certificate that the client knowns in his CA root trust store and it will be validated (because you ASK for that name). For RADIUS this it different, the client don't "ask" for the RADIUS server certificate, the RADIUS server just give you the RADIUS server certificate. "hello iám the radius server, this is my certificate". The client have to validate if this certificate is from the right server DNS name, so you always have to validate by the end user or use a MDM to push that settings.

    Generally design is that the RADIUS server certificate is issued by your own PKI CA infrastructure. Also note RADIUS certificate can't be a wildcard (*.domain.com) certificate.

    Hope this helps.

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 3.  RE: Radius Certificate

    Posted Jun 09, 2021 11:14 AM
    This is the information i was looking for.  We are using wpa2/aes, the implementation is working, has been for several years. We use an mdm solution for university owned devices to push out the cert or instruct the user to trust the cert when prompted.

    The issue now is Android 11 will no longer allow users to trust a cert as part of joining the wlan. If they start doing it I'm sure Apple will follow suit.

    Is there a better option? With the caveat we do not want to install anything on student owned devices.

    ------------------------------
    Gary Naeger
    ------------------------------



  • 4.  RE: Radius Certificate

    Posted Jun 09, 2021 07:55 AM
    Check this post, basically the same question. In short: Yes, some people are using public EAP certificates, and it works. No clients will not automatically trust public certificates, and public certificate authorities for RADIUS EAP certificates are deprecated. IF you absolutely want to have a public certificate, make sure that you have the guarantee that your CA will issue certificates from the same root for the expected running time of your WLAN solution. It's a pain to change to another root CA, and it will require you to touch all of your clients currently only trusting the old root.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Radius Certificate

    Posted Jun 09, 2021 11:20 AM
    Our solution works, has been for several years. We use a public cert because we do not want to install a private cert on thousands of student owned devices. we use digicert and the intermediate is valid until 2028 and the root is valid until 2031 so we should be good for awhile. I know things change but we would rather purchase a new cert then be responsible for the student devices.

    ------------------------------
    Gary Naeger
    ------------------------------