Certificate Warnings during 802.1x
Why am I getting a warning from my 802.1x supplicant about my RADIUS server certificate even though it was issued by a trusted CA?
When a device configured for 802.1x begins the authentication process, it may receive an x509 certificate from the RADIUS server to identify itself to the device. This happens before the device has an IP address, so there can be no revocation status verification or DNS based verification as would be available during an HTTPS connection. There are only two criteria to protect the device from rogue RADIUS servers. The first one is the certificate trust chain and the second one is the subject name in the certificate being presented by the RADIUS server.
Ideally, the 802.1x connection would be defined on the client device with a specific server name to look for in the RADIUS server certificate in addition to trusting the CA which issued the certificate. Without a server name defined in the 802.1x connection, ANY certificate issued by a CA could be trusted for this 802.1x session. This would present a major security risk since any certificate issued by a major 3rd party trusted CA could be used to put up a rogue RADIUS server.
If an unsuspecting user were to connect to a rogue 802.1x service such as a wireless LAN which used EAP-PEAP with MSCHAP v2 for authentication, they would be susceptible to providing their password hash to an untrusted 3rd party simply because that party had a certificate issued by a public, trusted CA such as Verisign.
In the absence of a named RADIUS server in the 802.1x configuration, some supplicants will provide the user with a pop up prompt to show the user of the device the certificate being supplied by the RADIUS server. It is up to the user to check the name on this certificate and make a decision on whether or not to trust this RADIUS server.
To avoid the pop up warning, the 802.1x supplicant needs to be configured to trust a specific RADIUS server name. Instructions on how to do this vary from device to device.
ClearPass Onboard performs this task during device registration to facilitate RADIUS connections without pop-up warnings to end users during 802.1x authentication.