Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Validate Server Certificate

  • 1.  Validate Server Certificate

    Posted Aug 12, 2014 09:20 AM

    Hi guys. We have dot1x authentication against a Radius server. There is no termination enable in controller. Customer will need to manually create a wifi profile in their pc, and uncheck the validate server certificate. There are a question from customers;

     

    1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

        What was the actual process that happen when no "validate server certificate" in wifi profile?

    2. What will happen on the window client when the radius renew the server certificate:

                    A) with “validate server certificate” checked

                    B) without “validate server certificate” checked.

     

     



  • 2.  RE: Validate Server Certificate

    Posted Aug 12, 2014 09:23 AM
    Is your cert signed by a public or private CA.?


  • 3.  RE: Validate Server Certificate

    Posted Aug 14, 2014 12:03 PM

    Tim, it is private cert.



  • 4.  RE: Validate Server Certificate

    Posted Aug 14, 2014 12:04 PM

    Then you would need to manually install the root (signing) CA on the device, use group policy to push it out, or use a tool like QuickConnect to install it.



  • 5.  RE: Validate Server Certificate

    Posted Aug 14, 2014 12:31 PM

    Clembo

          Refer to item 2,a) with "validate server certificate" checked, with no GPO and domain PC.

                                       what would happen to client if server certificate is renewed at radius as per the following scenario:

                                          i) nothing is checked except "validate server certificate"

                                        ii) with "connect to these server" checked with server name and no check at trusted root certificate authorities

                                               additional condition: a) pointing to right radius

                                                                                b) pointing to incorrect radius

                                      iii) with  a few trusted root CA checked; "connect to these server" unchecked

         

             Appreciate your answers.



  • 6.  RE: Validate Server Certificate

    Posted Aug 12, 2014 09:24 AM

    You should not uncheck the "validate server certificate" option.  Although it may solve your connectivity problem, it is good practice to validate and trust the server's idenity (via the certificate).

     

    You should have each client trust the certificate.  The process to do it varies slightly whether it is a public certificate, self-signed, or Active Directory Certificate Services certificate.

     


     

    1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

    ----because your client does not have it in its list of trusted certificate authorities; so unchecking ignores this.

        What was the actual process that happen when no "validate server certificate" in wifi profile?

    ----client ignores the certificate presented by the RADIUS server

    2. What will happen on the window client when the radius renew the server certificate:

                    A) with “validate server certificate” checked

    ----Depends on the where the certificate was issued from.  It would need to be reloaded to the clients; but again the process may vary.   Domain joined machines can have these settings pushed out through Group Policy; including the trusted certificate.

                    B) without “validate server certificate” checked.

    ----Nothing; but again, you should enable this feature

     

     


     



  • 7.  RE: Validate Server Certificate

    Posted Aug 12, 2014 09:44 AM

    From a security standpoint, not validating the server's identity is worse than using an open network.