Wireless Access

 View Only
last person joined: 15 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

EAP-PEAP

This thread has been viewed 38 times
  • 1.  EAP-PEAP

    Posted Aug 10, 2022 10:38 AM
    Hi,

    If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
    I am testing the behaviour and it is the same on both instances.
    Is there anyway around of having to trust the certificate and automatically connect?

    Thanks,


  • 2.  RE: EAP-PEAP

    EMPLOYEE
    Posted Aug 10, 2022 04:17 PM

    The first time a device connects, there is no way to disable it.  It as presented so that the user can validate what they are connecting to, and that their credentials are not being stolen by an "evil twin" network.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: EAP-PEAP

    Posted Aug 11, 2022 05:52 AM
    is that the same behaviour regardless of what cert you have self signed vs public?


  • 4.  RE: EAP-PEAP

    MVP
    Posted Aug 11, 2022 05:57 AM
    If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.

    Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: EAP-PEAP

    Posted Aug 11, 2022 06:14 AM
    My further question is I have a Samsung phone if I forget the network, I do not need to trust the cert. This device is not a managed device.
    I have iphone that is managed by JAMF, if I forget the network and connect I need to trust the cert for the first time.
    Is this behaviour different per manufacture and device?


  • 6.  RE: EAP-PEAP

    EMPLOYEE
    Posted Aug 12, 2022 06:14 AM
    Yes, the behavior is different per device, and that is exactly the reason why you should never use EAP-PEAP in BYOD like situations.

    Some devices prompt the user for a certificate, others even don't, and if there is a rogue authentication server users will likely leak their user credentials.

    If you have an MDM (you mention JAMF), make sure that you push the RADIUS server's root CA (a private PKI certificate is recommended for EAP), and strictly control the certificate trust and make sure that users cannot accept a rogue server certificate. Without an MDM or proper provisioning tool, you should not deploy PEAP-MSCHAPv2.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: EAP-PEAP

    MVP
    Posted Aug 12, 2022 07:03 AM
    An iPhone managed by JAMF should have has a network Profile containing the certificate chain pushed out to the device. It would then trust the certificate with no prompt to the users. We do that with our iPads. The configuration in JAMF should be the same. JAMF already pushes out its own Profile for management purposes. The wireless one would just be another Profile on the device.

    We trust the certificate chain rather than the server certificate. That permits updating the server certificate and no clienta are affected if the new certificate uses the same certificate chain of trust.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 8.  RE: EAP-PEAP

    Posted Aug 11, 2022 11:11 AM
    It has been my experience that Apple devices will require a certificate validation, no matter the certificate, self signed or public.

    ------------------------------
    Bruce Entwistle
    Network manager
    University of Redlands
    ------------------------------