Controllerless Networks

I have things configured properly in the sense that when I go on my android phone and connect to the new SSID, I can choose PEAP, enter my AD username and password, choose "Don't validate" for CA certificate and it connects.  I was able to also connect a domain laptop without entering anything, it just connected.

The problem with that is if someone else had same SSID and setup for WPA2 Enterprise, wouldn't my user credentials being sent out to try to connect?  I tried messing with the CA cert and choosing use system certificate then putting in the domain name of our AD domain when adding the wifi to my android but no matter what I do it tells me invalid credentials.  I even tried the domain name associated with our wildcard certificate.

Did I miss something?  Does the wildcard cert we have need to be added somewhere on radius or somewhere in the IAP or?

Thanks ahead of time with anything you can assist with.  Apologies if my terminology is wrong or bad sentences, I have a bad headache today.

Would you mind re-typing the following:

"The problem with that is if someone else had same SSID and setup for WPA2 Enterprise, wouldn't my user credentials being sent out to try to connect?  I tried messing with the CA cert and choosing use system certificate then putting in the domain name of our AD domain when adding the wifi to my android but no matter what I do it tells me invalid credentials.  I even tried the domain name associated with our wildcard certificate."

I can't tell exactly what you are trying to do / changed. Thanks!

Sure thing.

So I have my SSID With WPA2-Ent and my NPS radius setup on Server 2016.  It works but under CA Certificate on my android phone I have to choose "Don't Validate" which I believe introduces security problems.

If a malicious person setup their own AP and put an SSID on it that was the same as mine, wouldn't they be able to hijack my user credential if my phone tried to connect to their AP instead of mine?

If yes, is it because I'm not using certificates?

The authentication exchange happens between the RADIUS server and the client. The credentials are not in cleartext, and the validation of the certificate is to make sure that the connection is trusted.

If credentials are not in cleartext that means they could not steal user account information so this type of attack attempt would be pretty low benefit for someone to waste their time with.

In regards to the validation of certificate making sure the connection is trusted, what does that mean?  Is this something that I should worry about?  As I mentioned we have a certificate, how hard is it to setup the validation and what extra protection does that provide?

Thanks for your help!

Yes it would be more of a man in the middle attack (evil twin) and they could snoop traffic. The certificate validation is to check if the device should trust the radius servers identity.

That makes sense and what I was anticipating could happen.

How do we implement the certificate for verification?  On the radius server or in Instant?

Once we do implement the cert, what goes in the "domain" blank on my android device?  The domain name in the certificate (.com) or the domain name of AD/radius (.local)?

Can we use wildcard cert?  (I know some things aren't compatible/can't use a wildcard).

Just to clarify, if the supplicant is not properly configured for EAP server trust, the credentials are essentially sent in clear text.

The client's supplicant must be properly configured with the root CA and subject name. This can occur via a management platform (EMM/MDM, Group Policy, etc), via an end user provisioning flow or manually.

A wildcard cert should never be used for an EAP server identity. It should be a single name cert issued from a PKI under your organization's control.

Right. With wildcards, if one device certificate gets compromised, then any other device using the certificate is also now vulnerable.

Please see the following for a better explanation on how your credentials are verified/authenticated: