Security

Hey guys I am deploying a new CPPM server and I am having some issues with EAP-PEAP and windows clients. The customer has two wireless networks, one is a captive portal page with user self registration, and the other is just 802.1x (EAP-PEAP). I imported a wildcard certifiate for both SSL server and Radius server and the SSL captive portal side works great with everything. It shows the correct intermediate and root ca from digicert. However, the 802.1x side works with IOS, OSX, and Android, but windows 7 users cannot connect unless they manually create a wireless profile and un-select (validate server certificate). Before I tell the customer to purchase a new certificate just for this I want to make sure that will resolve the issues. I assume that windows doesn't like a wildcard certificate for eap-peap?  They don't want to onboard and their end users have BYOD devices not managed by the domain. Their end users are also not very techincal and having to walk each end user through creating a profile will be very painful. 

 

Thanks!,

From the Technote on Certificates (a very good read!)

 

"The downside of wildcard certificate is that they are not currently supported by Microsoft 

Windows 802.1X supplicants. If the deployment is purely a Guest deployment than you’re 

good to go but if there is a requirement now or later for 802.1X you should not go down the 

wildcard certificate road. "

 

You should get another specific server certificate or self signed RADIUS cert.

 

Scott

 

Ok, just to clarify if the customer purchases a specific comercial certificate from digicert for example then windows 7 machines will trust it as a supplicant and will no longer have to un-check the (validate server certificate) in the wireless profile? This will be for internal employees to authenticte their BYOD devices so it needs to be as seemless as possible.

 

Thanks, 

Remember that if they plan on deploying any windows 8.1 devices in the future the cert must have the id-kp-eapoverlan.

 

From the help in CPPM.

 

"

The RADIUS server certificate is used by ClearPass to secure authentication traffic. The HTTPS server certificate is used by ClearPass to secure web traffic. They can be configured in Policy Manager under Administration » Certificates » Server Certificate.

 

The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority.

 

To allow Windows 8.1 devices to authenticate successfully this certificate must contain the id-kp-eapOverLAN extended key usage. ClearPass Onboard includes this when creating a "trusted" certificate, this is the recommended method of creating your RADIUS server certificate(s).

 

The optimal configuration for Onboard is a HTTPS server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012.

 

Alternatively if you only wish to use a single Onboard Certificate Authority then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process. Refer to the User Guide for more information.

 

For testing purposes you can disable the requirement for HTTPS on the Authentication configuration page. However this is an insecure configuration that should not be used in a production environment."

 

One other option for your client is to also use Quick Connect to configure the PEAP devices. 

 

The web ssl side of things works great with the wildcard certificate, no issues there. Its the radius side (eap-peap) where windows clients are having issues trusting the server certificate causing the users to have to manually create the wireless profile and un-check (validate server certificate). I am hoping that if the customer purchases a single certificate from digicert for this that this will resolve that issue. Before I have them purchase a certificiate I wanted to verify that this was true. 

 

Thanks,

Hi,

 

Any news on this one? Did it solve the issue when your customer purchase a certificate from digicert?

I have the same issue, even after creating a self signed certificate for RADIUS on the ClearPass.

 

Thanks,

 

François

from what i read here recently, public bought radius certs are / will be hard to get soon and not wise to use. the way to do seems to work with self signed ones signed with the local CA.

Hi,

 

Thank you for your reply.

When you are talking about the local CA, are you talking about the CA included in ClearPass Onboard?

 

Thanks.

 

François

I would work with your partner or Aruba SE on this. There are many variables and design decisions that can impact the type of RADIUS server certificate you use.

Thanks,
Tim

i was talking about certificate from a Windows CA. of course cappalli is right that there is no one solution for all situations and working with your Aruba SE or partner is always a good idea.