Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Queston On Protected EAP Properties In WIFI Properties

This thread has been viewed 9 times
  • 1.  Queston On Protected EAP Properties In WIFI Properties

    Posted 2 days ago
    I am trying to understand what the verify the server identity by validating the certificate does.

    We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.

    In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.

    For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network

    Anybody explain what is happening?



    ------------------------------
    stever
    ------------------------------


  • 2.  RE: Queston On Protected EAP Properties In WIFI Properties

    EMPLOYEE
    Posted 2 days ago
    the way i understand it is, when you enable "validate server cert" the client will look at the server cert which is part of the PEAP auth, to see if it matches one of the certs that it has, otherwise it will fail auth.
    for example you can set your clearpass with self signed cert and then with that client setting try to connect to the EAP-TLS SSID, the auth should fail with this error in access tracker



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Queston On Protected EAP Properties In WIFI Properties

    EMPLOYEE
    Posted yesterday
    Let me start by mentioning that you should avoid PEAP-MSCHAPv2 as it uses broken cryptography and if you have an issue like this, it's likely that your credentials can be captured by a rogue/malicious network.

    Then, I believe that Windows caches the certificates that have been trusted. So, you may try again and fully remove the SSID and configure again with just the Digicert servers. It should not connect, with the message that Ariyap shared. Also, the server name is normally the DNS name of the RADIUS server certificate, it looks like you entered an email address in there. Have you double-checked that the internal CA is not also enabled in the list of Trusted Root CAs?

    If the client still connects, I would be worried but that is a Microsoft issue as the configuration seem correct to limit the client to connect only to a RADIUS server that has a certificate with a CN/SAN of NPSINTERNL@internal.mycompany.com and issued by one of the CAs selected.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Queston On Protected EAP Properties In WIFI Properties

    Posted yesterday
    Thanks for the reply I will try to do some more troubleshooting.

    Yes we are moving away from PEAP but we have one client group that still needs it. We are certificate based on our main SSIDs.

    Thanks

    ------------------------------
    steve
    ------------------------------