Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Questions about 802.1X EAP-PEAP authentication process.

This thread has been viewed 6 times

  • 1.  Questions about 802.1X EAP-PEAP authentication process.

    Posted May 21, 2018 12:37 PM

    Hi All, 

    If I'm not wrong. When we initiate 802.1X EAP-PEAP authentication a certificate from the RADIUS server is pushed to the workstation.

    The certificate can be either self-signed or signed by a private certification authority.

     

    1. I would like to know if the certificate that is sent in this transaction is stored on the client (especially Windows). or is the certificate sent in all authentications?

    2.  When using a signed certificate should we check the "Validate Server Certificate" option and select the "Trust Root Certification Authorities" in the properties of the WiFi connection (Windows)?

    3. has anyone had the experience of using a Public Certification Authority for 802.1X authentication? Can a simple SSL certificate be used/ordered for this? or is there a certificate for the specific purpose of Server Auth / Client Auth in the Public CA?

     

    Thank you,

    Ed



  • 2.  RE: Questions about 802.1X EAP-PEAP authentication process.

    EMPLOYEE
    Posted May 21, 2018 01:30 PM

    1.  There is only the requirement for a Server Certificate.  The certificate is not "sent", it is compared.  The client will compare the server certficate with the certificates in its trusted certficate authority if "Validate Server Certificate" is checked on the client.

    2.  If a client is part of a domain and there is an enterprise certficate authority, the client will by default trust anything that was issued by that certificate authority.  If you are using a self-signed server certificate, you will have to install that server's certificate manually on the client into the Trusted Certificate Store, to be able to enable "Validate Server Certificate".

    3.  You should not use a public server certificate for 802.1x if you have a domain, because (1) a CA in a domain is free and (2) all of your clients already trust it.  You would use a public server certificate for 802.1x mainly if most of your clients are not part of a domain (higher education institution like college). 

     

    An SSL certificate and a 802.1x certificate have the same certificate requirements, so they theoretically can be used interchangeably.  The advice about how to issue and obtain that certificate above stands, however.



  • 3.  RE: Questions about 802.1X EAP-PEAP authentication process.

    Posted May 21, 2018 01:41 PM

    Many thanks for the explanation.