Does anyone know how can I protect PEAP without validate server certificate? Because of in my customer site didn't deploy RootCA and he already disable validate server certificate on client machine for all user.
Thanks in advance
There is no way to do that without "Validate Server Certificate". What CA issued the radius server certificate?
Thanks for quick reply.
I use selfsign CA to signed radius server certificate.
In this case if I have Airmonitor it can help or not ?
I am probably not answering your question.
What problem are you trying to solve?
If you have WPA2-AES-PEAP installed, you are using encryption on your clients. If those same clients do not have "Validate Server Certificate" checked, they can be easily lured to an access point that broadcasts the same name, because the clients are not checking to make sure they are attaching to the correct WLAN.
What would Air monitors do in this situation?
Sorry for my question not clear enough.
Actually, I need to protect corporate wlan from unauthorized AP which broadcast the same corp SSID.
In case someone setup AP with the same corp SSID to sniff user credential. If client machine didn’t check validate certificate is it possible to protect client connect to unauthorized AP with airmonitor?
You can do that if you have the RFprotect license installed on the controller using Air Monitors, yes, but it will cost you in hardware to deploy Air monitors.
The best way to deal with this is to install an Enterprise CA in the domain: The clients will all trust this server and then you can issue a server certificate to your Radius Server that your clients will trust. After doing that you can setup a group policy that configures the WLAN of those clients where "Validate Server Certificate" is enabled.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.