Security

Has anyone every got a public cert to work so the client does not have to manually trust the cert?

------------------------------
Gary Naeger
------------------------------

Hi Gary,

What EAP method do you use? Please note that a public certificate always have to be trusted by your client. Yes the public CA certificate is probarly in the trust store of the client, but because the client not "ask" for the certificate, it still have to be validate by the user.

Example:
If your client browse to https://cnn.com, the client "ask" for that DNS name cnn.com, the webserver send you the cnn.com webserver certificate that the client knowns in his CA root trust store and it will be validated (because you ASK for that name). For RADIUS this it different, the client don't "ask" for the RADIUS server certificate, the RADIUS server just give you the RADIUS server certificate. "hello iám the radius server, this is my certificate". The client have to validate if this certificate is from the right server DNS name, so you always have to validate by the end user or use a MDM to push that settings.

Generally design is that the RADIUS server certificate is issued by your own PKI CA infrastructure. Also note RADIUS certificate can't be a wildcard (*.domain.com) certificate.

Hope this helps.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Jun 08, 2021 04:27 PM
From: Gary Naeger
Subject: Radius Certificate

Has anyone every got a public cert to work so the client does not have to manually trust the cert?

------------------------------
Gary Naeger
------------------------------

This is the information i was looking for.  We are using wpa2/aes, the implementation is working, has been for several years. We use an mdm solution for university owned devices to push out the cert or instruct the user to trust the cert when prompted.

The issue now is Android 11 will no longer allow users to trust a cert as part of joining the wlan. If they start doing it I'm sure Apple will follow suit.

Is there a better option? With the caveat we do not want to install anything on student owned devices.

------------------------------
Gary Naeger
------------------------------

Original Message:
Sent: Jun 09, 2021 02:40 AM
From: marcel koedijk
Subject: Radius Certificate

Hi Gary,

What EAP method do you use? Please note that a public certificate always have to be trusted by your client. Yes the public CA certificate is probarly in the trust store of the client, but because the client not "ask" for the certificate, it still have to be validate by the user.

Example:
If your client browse to https://cnn.com, the client "ask" for that DNS name cnn.com, the webserver send you the cnn.com webserver certificate that the client knowns in his CA root trust store and it will be validated (because you ASK for that name). For RADIUS this it different, the client don't "ask" for the RADIUS server certificate, the RADIUS server just give you the RADIUS server certificate. "hello iám the radius server, this is my certificate". The client have to validate if this certificate is from the right server DNS name, so you always have to validate by the end user or use a MDM to push that settings.

Generally design is that the RADIUS server certificate is issued by your own PKI CA infrastructure. Also note RADIUS certificate can't be a wildcard (*.domain.com) certificate.

Hope this helps.

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | ACDA | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Jun 08, 2021 04:27 PM
From: Gary Naeger
Subject: Radius Certificate

Has anyone every got a public cert to work so the client does not have to manually trust the cert?

------------------------------
Gary Naeger
------------------------------

Check this post, basically the same question. In short: Yes, some people are using public EAP certificates, and it works. No clients will not automatically trust public certificates, and public certificate authorities for RADIUS EAP certificates are deprecated. IF you absolutely want to have a public certificate, make sure that you have the guarantee that your CA will issue certificates from the same root for the expected running time of your WLAN solution. It's a pain to change to another root CA, and it will require you to touch all of your clients currently only trusting the old root.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 08, 2021 04:27 PM
From: Gary Naeger
Subject: Radius Certificate

Has anyone every got a public cert to work so the client does not have to manually trust the cert?

------------------------------
Gary Naeger
------------------------------

Our solution works, has been for several years. We use a public cert because we do not want to install a private cert on thousands of student owned devices. we use digicert and the intermediate is valid until 2028 and the root is valid until 2031 so we should be good for awhile. I know things change but we would rather purchase a new cert then be responsible for the student devices.

------------------------------
Gary Naeger
------------------------------

Original Message:
Sent: Jun 09, 2021 07:55 AM
From: Herman Robers
Subject: Radius Certificate

Check this post, basically the same question. In short: Yes, some people are using public EAP certificates, and it works. No clients will not automatically trust public certificates, and public certificate authorities for RADIUS EAP certificates are deprecated. IF you absolutely want to have a public certificate, make sure that you have the guarantee that your CA will issue certificates from the same root for the expected running time of your WLAN solution. It's a pain to change to another root CA, and it will require you to touch all of your clients currently only trusting the old root.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 08, 2021 04:27 PM
From: Gary Naeger
Subject: Radius Certificate

Has anyone every got a public cert to work so the client does not have to manually trust the cert?

------------------------------
Gary Naeger
------------------------------