Wireless Access

I am trying to understand what the verify the server identity by validating the certificate does.

We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.

In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.

For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network

------------------------------
stever
------------------------------

the way i understand it is, when you enable "validate server cert" the client will look at the server cert which is part of the PEAP auth, to see if it matches one of the certs that it has, otherwise it will fail auth.
for example you can set your clearpass with self signed cert and then with that client setting try to connect to the EAP-TLS SSID, the auth should fail with this error in access tracker



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 24, 2022 04:40 PM
From: stever robichaud
Subject: Queston On Protected EAP Properties In WIFI Properties

I am trying to understand what the verify the server identity by validating the certificate does.

We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.

In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.

For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network

Anybody explain what is happening?

------------------------------
stever
------------------------------

Let me start by mentioning that you should avoid PEAP-MSCHAPv2 as it uses broken cryptography and if you have an issue like this, it's likely that your credentials can be captured by a rogue/malicious network.

Then, I believe that Windows caches the certificates that have been trusted. So, you may try again and fully remove the SSID and configure again with just the Digicert servers. It should not connect, with the message that Ariyap shared. Also, the server name is normally the DNS name of the RADIUS server certificate, it looks like you entered an email address in there. Have you double-checked that the internal CA is not also enabled in the list of Trusted Root CAs?

If the client still connects, I would be worried but that is a Microsoft issue as the configuration seem correct to limit the client to connect only to a RADIUS server that has a certificate with a CN/SAN of NPSINTERNL@internal.mycompany.com and issued by one of the CAs selected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 24, 2022 04:40 PM
From: stever robichaud
Subject: Queston On Protected EAP Properties In WIFI Properties

I am trying to understand what the verify the server identity by validating the certificate does.

We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.

In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.

For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network

Anybody explain what is happening?

------------------------------
stever
------------------------------

Thanks for the reply I will try to do some more troubleshooting. 

Yes we are moving away from PEAP but we have one client group that still needs it. We are certificate based on our main SSIDs.

Thanks

------------------------------
steve
------------------------------

Original Message:
Sent: Nov 25, 2022 05:42 AM
From: Herman Robers
Subject: Queston On Protected EAP Properties In WIFI Properties

Let me start by mentioning that you should avoid PEAP-MSCHAPv2 as it uses broken cryptography and if you have an issue like this, it's likely that your credentials can be captured by a rogue/malicious network.

Then, I believe that Windows caches the certificates that have been trusted. So, you may try again and fully remove the SSID and configure again with just the Digicert servers. It should not connect, with the message that Ariyap shared. Also, the server name is normally the DNS name of the RADIUS server certificate, it looks like you entered an email address in there. Have you double-checked that the internal CA is not also enabled in the list of Trusted Root CAs?

If the client still connects, I would be worried but that is a Microsoft issue as the configuration seem correct to limit the client to connect only to a RADIUS server that has a certificate with a CN/SAN of NPSINTERNL@internal.mycompany.com and issued by one of the CAs selected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 24, 2022 04:40 PM
From: stever robichaud
Subject: Queston On Protected EAP Properties In WIFI Properties

I am trying to understand what the verify the server identity by validating the certificate does.

We have an ClearPass server signed by our internal CA. The root ca is installed on the laptops.

In the windows PEAP properties I choose connect to these server and listed my internal ClearPass server.

For a test I then pointed the trusted root certification server to one of the Digicert Global root CA for a test. I thought by doing this I would fail authentication because my ClearPass serve is using a different CA no the Digicert Global CA. But to my suprise I was able to connect to the WIFI network

Anybody explain what is happening?

------------------------------
stever
------------------------------