Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Does anyone know how can I protect PEAP without validate server certificate on client side?

  • 1.  Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 05:47 AM

    Hi All,

    Does anyone know how can I protect PEAP without validate server certificate? Because of in my customer site didn't deploy RootCA and he already disable validate server certificate on client machine for all user.

     

    Thanks in advance 

    Regards,

     



  • 2.  RE: Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 05:56 AM

    There is no way to do that without "Validate Server Certificate".  What CA issued the radius server certificate?

     



  • 3.  RE: Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 06:04 AM

    Hi Colin,

     

    Thanks for quick reply.

    I use selfsign CA to signed radius server certificate. 

     

    In this case if I have Airmonitor it can help or not ?



  • 4.  RE: Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 06:09 AM

    aakmit,

     

    I am probably not answering your question.

     

    What problem are you trying to solve?

     

    If you have WPA2-AES-PEAP installed, you are using encryption on your clients.  If those same clients do not have "Validate Server Certificate" checked, they can be easily lured to an access point that broadcasts the same name, because the clients are not checking  to make sure they are attaching to the correct WLAN.

     

    What would Air monitors do in this situation?



  • 5.  RE: Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 06:29 AM

    Hi Colin,

     

    Sorry for my question not clear enough.

    Actually, I need to protect corporate wlan from unauthorized AP which broadcast the same corp SSID.

     

    In case someone setup AP with the same corp SSID to sniff user credential. If client machine didn’t check validate certificate is it possible to protect client connect to unauthorized AP with airmonitor?



  • 6.  RE: Does anyone know how can I protect PEAP without validate server certificate on client side?

    Posted Dec 27, 2012 06:38 AM

    You can do that if you have the RFprotect license installed on the controller using Air Monitors, yes, but it will cost you in hardware to deploy Air monitors.

     

    The best way to deal with this is to install an Enterprise CA in the domain:  The clients will all trust this server and then you can issue a server certificate to your Radius Server that your clients will trust.  After doing that you can setup a group policy that configures the WLAN of those clients where "Validate Server Certificate" is enabled.