Security

Reply
Contributor II

Questions about 802.1X EAP-PEAP authentication process.

Hi All, 

If I'm not wrong. When we initiate 802.1X EAP-PEAP authentication a certificate from the RADIUS server is pushed to the workstation.

The certificate can be either self-signed or signed by a private certification authority.

 

1. I would like to know if the certificate that is sent in this transaction is stored on the client (especially Windows). or is the certificate sent in all authentications?

2.  When using a signed certificate should we check the "Validate Server Certificate" option and select the "Trust Root Certification Authorities" in the properties of the WiFi connection (Windows)?

3. has anyone had the experience of using a Public Certification Authority for 802.1X authentication? Can a simple SSL certificate be used/ordered for this? or is there a certificate for the specific purpose of Server Auth / Client Auth in the Public CA?

 

Thank you,

Ed

Guru Elite

Re: Questions about 802.1X EAP-PEAP authentication process.

1.  There is only the requirement for a Server Certificate.  The certificate is not "sent", it is compared.  The client will compare the server certficate with the certificates in its trusted certficate authority if "Validate Server Certificate" is checked on the client.

2.  If a client is part of a domain and there is an enterprise certficate authority, the client will by default trust anything that was issued by that certificate authority.  If you are using a self-signed server certificate, you will have to install that server's certificate manually on the client into the Trusted Certificate Store, to be able to enable "Validate Server Certificate".

3.  You should not use a public server certificate for 802.1x if you have a domain, because (1) a CA in a domain is free and (2) all of your clients already trust it.  You would use a public server certificate for 802.1x mainly if most of your clients are not part of a domain (higher education institution like college). 

 

An SSL certificate and a 802.1x certificate have the same certificate requirements, so they theoretically can be used interchangeably.  The advice about how to issue and obtain that certificate above stands, however.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor II

Re: Questions about 802.1X EAP-PEAP authentication process.

Many thanks for the explanation.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: