Security

Hello everyone,

 

Sorry if this questions has already been asked, but I cant seem to find an answer.

Im designing a very simple Wifi architecture for my company, only 130 people, composed of 15 Aruba IAP-207 Access points.

For our Employee Wifi Network, I want my users to authenticate with their AD logins with 802.1x, quite simple.

It works very great, the only thing I cant do is to bypass a certificate warning.

I've created a self signed certificate to auth my radius server and allow the 802.1x authentification. For the company own-devices, I think I'll be able to push a GPO and install the certificate, but what about the personal laptops and smartphones ? Anyway to get around the warning ?

 

I've joined a 2 screenshots, 1 warning on Apple and the other one on Windows 10.

Thanks a lot !

Regards,

François-Xavier

For company devices you can push a GPO with the correct settings.
For personal devices it's not possible to prevent this certificate message. It's just a validation message.

Next to this, it's not advisable to use EAP-PEAP at unmanaged devices because EAP-PEAP is broken years ago. EAP-PEAP is save when you do proper certificate checking at the client.

Hi Willem, 

Thanks for the reply.

 

That would be the best option to authenticate unmanaged devices with Active Directory credentials ?

 

Thanks !

François-Xavier

If you use EAP-PEAP don't use your AD credentials. Better option is to use EAP-TLS. ClearPass Onboard can be a solution for this.

It cant be done with Instant, you need Clearpass ? And what about direct LDAP queries ? Is that a viable option ?

 

Thanks a lot :)

 

Yes, for Onboard you need ClearPass.
LDAP is not a solution.

EAP-PEAP works but it's not secure. It's relative issue to capture the password hash. Because the hash is MD4 encrypted it's possible to decrypt the hash.

Please work with your Aruba partner.