Security

Hi,

 

I am using two AP90s in virtual controller mode and I want my users to authenticate using the internal radius server of the ap's. Here is what I configured thus far:

 

- Enabled Dynamic Radius proxy

- Created a new network that is configured to use the internal radius server

- Created a user to test the settings

- Uploaded a server certificate (pfx), trusted postiveSSL wildcard certificate, that I also use for our webserver

- Uploaded a CA certificate (cer), a trusted addtrust certificate

 

I try to connect to the network using an XP SP3 client. I configured the following for the wireless network settings:

 

- WPA2+AES

- EAP type: PEAP

- verification method: EAP-MSCHAP v2

- configured it to not use the windows password and username, this seems to be fine, when I connect to the network it asks for a user name and password

 

Until here I am able to connect to the network, however as soon as I check the verify server certificate checkbox in the EAP-properties I am not able to connect to the network anymore. Every five seconds it asks for the username and password again.

 

I hope someone can help. Are there things I need to set? Do I for example need to use a domain name in the password an username box on the XP client when it asks for my credentials, or do I need to set a domain name in the virtual controller? Could it be a problem with the server certificate, or the ca certificate. Are there ways to troubleshout if that is the problem? Or does someone have other suggestions?

If you have not already, try to connect with an iPhone and see the server certificate that is presented to the user and make sure it matches your uploaded cert.

 

WAIT... did you say a wildcard certificate?  Clients FREQUENTLY have issues with 802.1x when the server certificate is a wildcard.  I would get a temporary certificate just to confirm that is what is happening.

 

Do you know if there are any test certificates available from which I can be sure that they work?

 

I also haven't set a domain name anywhere in the virtual controller settings, is that needed. I saw the enterprise domain option in the settings, but have left it blank.

 

Thanks

Verisign used to have a 3 day cert. Not sure if they do anymore.

 

Yes, they do:  http://www.symantec.com/pop.jsp?popupid=try_a_ssl_certificate

.

Hello SSH

Do you have an interna CA? because if you do you could just  request for a new certificate for that server using computer templante certificate... and use that certificate...This certificate should not give you any issue in this deployment!

As all your domain computer trust the root that issue that certificate you should be all good to go...

 

 

I actually do not have an internal CA, I manually upload the certificates for use on the webserver etc. And the devices that are connecting to the wireless network are not part of a domain.

Windows 7 devices in specific just don't like wildcard certificates for 802.1x http://www.mdmarra.com/2011/10/8021x-peap-nps-wildcard-certificates.html

 

Well thats a good info thanks Collin! 

Its good to know that!

I think I'll just try a single domain certificate. Will a single domain certificate without company information be enough? Or do I need one that besides the domain validation also validates my company?

Just ordered a single domain certificate, used openssl to convert it, uploaded it, and it works like a charm! Thanks for all your tips, it saved me a lot of trouble, and the certificate only costs me $20,- for two years. Thanks!