Security

Reply
Aruba Employee

Re: 802.1x and signed certificates

First, you need to install the Web Server IIS role.

 

Then you can create a cert request via the IIS Manager: Select the Server, double-click Server Certificates, right-click in the Server Certificates, choose "Create Certificate Request". This will walk you through the wizzard. Once the Cert coompany gives you your cert, you go into that window again, right-click, choose Complete Certificate Request.

Thanks,

Zach Jennings
Moderator

Re: 802.1x and signed certificates

I have used the following nasty cli command to install another certificate that the NPS is required to trust in order to terminate EAP. I am not MS expert so I certainly hope there is another way to achieve the same result but it appeared to work for me:

 

certutil -enterprise -addstore NTAuth CA_CertFilename.cer

 

Hope this helps.

Highlighted
Contributor II

Re: 802.1x and signed certificates

So I've installed the IIS role, generated the CSR, had it signed, completed the Certificate Request.

 

Then I setup NPS and setup PEAP selecting that new cert from the drop down.  Then I tried connecting with a client on several different platforms (Apple, Android, BlackBerry, Windows), they pass network authentication but still show the cert as 'not verfied'.

 

Am I missing a step?  Does the domain name the cert is issued to matter?  For now I just used the FQDN of the server.

Occasional Contributor II

Re: 802.1x and signed certificates

I've got the same issue as mmeyer.

 

We bought an external cert. Setup NPS to use it, and the devices still complain that it's not verified. I'm wondering if the device is attempting a CRL lookup and can't verify the cert status and that's what's causing the issue.

 

Our end goal is to have users connect without an annoying cert error warning. It seems like this is a common enough scenario that Aruba would have a document describing the procedure to get this in place.

Guru Elite

Re: 802.1x and signed certificates

The problem is that different devices trust different groups of CAs and even those devices, will alert you the first time they see a different certificate from a CA, even though they trust it.  The issue is between the devices and the Certificate Authorities, and the behavior they use to handle certificates. 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: 802.1x and signed certificates

 

Bummer... It sounds like it's annoying by design... It's really no better than the self signed cert that I was using before.

 

Thanks cjoseph.

Super Contributor II

Re: 802.1x and signed certificates

I'd like to +1 this thread, I have hit this limitation as well and my client is asking the question as to what benefit the public cert offers when you still can't verify the peap cert.
Contributor II

Re: 802.1x and signed certificates

I am just running into this problem as well.

 

My thought process was that by terminating at the controller with a publically trusted cert of my choosing, we would be in a position to prevent the annoying warnings/validations from coming up.  In the EDU space, students bring a bevy of unmanaged clients on to the network, and I don't like advising "Just click ok if you get a cert error" or "disable the server validation" checkbox.

 

I originally thought I was having a chaining problem, but I tied the whole trust chain together into a single server crt file I used to terminate EAP on the controller.  Upon connecting, on a OSX Lion client if you click the "details" button it now shows a clean trust chain and just asks you to take a look at the certificate and subsequently adds it to the keystore.  On my iPhone4, I get a "Not Verified" warning.

 

My Android clients connect just fine. 

 

Anyone come up with a clean(er) solution to this problem? 

Kevin Schoenfeld

Frequent Contributor I

Re: 802.1x and signed certificates

At the Airheads Conference in the Top 10 tips from TAC they talked about how to allow OCSP to verify certificates during authentication.  Could this be the solution to your problems?

 

http://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/148/2/2012%20AH%20Vegas%20-%20Top10%20Tips%20from%20Aruba%20TAC.pdf

 

(Tip #7)

Super Contributor II

Re: 802.1x and signed certificates

hi jaker,

 

Thanks for the info, i missed the airheads conference so it is good to see what was covered.

 

unfortunately that workaround is not able to help us in this case as the OCSP problems seem to be related to TLS / EAP authentication rather than SSL / Web authentication.

 

I believe there is an RFC in place that allows for client OCSP verification in the TLS exchange however this has not been implemented in any client devices yet.

 

Cam,

 

feel free to correct me if this is not the case.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: