03-21-2014 01:19 PM
How do you avoid non-domain clients getting the server certificate warning when connecting to a secure SSID. I am using windows 2012 server. The Mac os devices display the warning but you can still continue to authenticate. Windows computers behave differently depending if it is windows 8 or 7. I have to manually disable validate certificate. Also, sometimes the machine will try to authenticate using local credential first without prompting the user for credential so i have to manually add a wifi profile and select user authentication under advanced settings. I was thinking on using EAP TLS but havent found a way to distribute the Certificate without using clearpass or having host on a web server so users download it and instali it. So my next option was EAP PEAP mschapv2 but you still get the certificate warning even though the server will just validate user and password. I am typing this on a tablet so i appologize for any typos.
03-21-2014 01:25 PM
Even with EAP PEAP, there is a server certificate involved. You can try to get your server cert on the RADIUS server to be signed by a public authority like Entrust or VeriSign. That *should* bypass that validate server cert popup however, depending on the public cert and/or its trust chain, it may not work for all clients. However, most clients do have several public CAs in their trust list by default.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
03-21-2014 01:59 PM
The only way to avoid the cert warning is to pre-load and trust your eap cert on the client (basically was the domain does for domain joined machines - ie using rules to pre-load and trust the cert (or disable validation.. :o )).
The problem is that even if the cert is valid and from a public authority - the eap traffic is layer2 proxied to your radius server - so there is no way for the client to verify it is receiving the cert from the actual system the cert is claiming its from.
So they system needs to ask the user to determine if its ok to trust or not - and that might not be the best discriminator or trust :)
03-21-2014 04:19 PM - edited 03-21-2014 04:21 PM
The one thing to remember is that the 802.1X standard doesn't particularly care if the certificate is valid or not (from a CRL / OCSP standpoint) for PEAP.
When you get that popup on the client, its simply saying, you've never connected to this network (ESSID) and I don't have a configuration for it, do you trust this server (certificate) to send your credentials to?
It would be the equivalent of walking into a TD Bank and them handing you a deposit slip with a Bank of America logo. You probably shouldn't put your account number down on that slip since you know you are inside a TD Bank.
This was a good chunk of my 802.1X presentation last week at Airheads. Here's the slides:
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |