Controllerless Networks

Reply
Highlighted
New Contributor

Instant and configuration with 802.1x to radius certificate setup

I have things configured properly in the sense that when I go on my android phone and connect to the new SSID, I can choose PEAP, enter my AD username and password, choose "Don't validate" for CA certificate and it connects.  I was able to also connect a domain laptop without entering anything, it just connected.

 

The problem with that is if someone else had same SSID and setup for WPA2 Enterprise, wouldn't my user credentials being sent out to try to connect?  I tried messing with the CA cert and choosing use system certificate then putting in the domain name of our AD domain when adding the wifi to my android but no matter what I do it tells me invalid credentials.  I even tried the domain name associated with our wildcard certificate.

 

Did I miss something?  Does the wildcard cert we have need to be added somewhere on radius or somewhere in the IAP or?

 

Thanks ahead of time with anything you can assist with.  Apologies if my terminology is wrong or bad sentences, I have a bad headache today.

 

Highlighted
Super Contributor II

Re: Instant and configuration with 802.1x to radius certificate setup

Would you mind re-typing the following:

 

"The problem with that is if someone else had same SSID and setup for WPA2 Enterprise, wouldn't my user credentials being sent out to try to connect?  I tried messing with the CA cert and choosing use system certificate then putting in the domain name of our AD domain when adding the wifi to my android but no matter what I do it tells me invalid credentials.  I even tried the domain name associated with our wildcard certificate."

 

I can't tell exactly what you are trying to do / changed. Thanks!

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Instant and configuration with 802.1x to radius certificate setup

Sure thing.

 

So I have my SSID With WPA2-Ent and my NPS radius setup on Server 2016.  It works but under CA Certificate on my android phone I have to choose "Don't Validate" which I believe introduces security problems.

 

If a malicious person setup their own AP and put an SSID on it that was the same as mine, wouldn't they be able to hijack my user credential if my phone tried to connect to their AP instead of mine?

 

If yes, is it because I'm not using certificates?

Highlighted
Super Contributor II

Re: Instant and configuration with 802.1x to radius certificate setup

The authentication exchange happens between the RADIUS server and the client. The credentials are not in cleartext, and the validation of the certificate is to make sure that the connection is trusted.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Super Contributor II

Re: Instant and configuration with 802.1x to radius certificate setup

Please see the following for a better explanation on how your credentials are verified/authenticated: 

 

1.jpg

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Instant and configuration with 802.1x to radius certificate setup

If credentials are not in cleartext that means they could not steal user account information so this type of attack attempt would be pretty low benefit for someone to waste their time with.

 

In regards to the validation of certificate making sure the connection is trusted, what does that mean?  Is this something that I should worry about?  As I mentioned we have a certificate, how hard is it to setup the validation and what extra protection does that provide?

 

Thanks for your help!

Highlighted
Super Contributor II

Re: Instant and configuration with 802.1x to radius certificate setup

Yes it would be more of a man in the middle attack (evil twin) and they could snoop traffic. The certificate validation is to check if the device should trust the radius servers identity.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
New Contributor

Re: Instant and configuration with 802.1x to radius certificate setup

That makes sense and what I was anticipating could happen.

 

How do we implement the certificate for verification?  On the radius server or in Instant?

 

Once we do implement the cert, what goes in the "domain" blank on my android device?  The domain name in the certificate (.com) or the domain name of AD/radius (.local)?

 

Can we use wildcard cert?  (I know some things aren't compatible/can't use a wildcard).

Highlighted
Frequent Contributor I

Re: Instant and configuration with 802.1x to radius certificate setup

Just to clarify, if the supplicant is not properly configured for EAP server trust, the credentials are essentially sent in clear text.

 

The client's supplicant must be properly configured with the root CA and subject name. This can occur via a management platform (EMM/MDM, Group Policy, etc), via an end user provisioning flow or manually.

 

A wildcard cert should never be used for an EAP server identity. It should be a single name cert issued from a PKI under your organization's control.

Highlighted
Super Contributor II

Re: Instant and configuration with 802.1x to radius certificate setup

Right. With wildcards, if one device certificate gets compromised, then any other device using the certificate is also now vulnerable.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: