Wireless Access

Reply
Highlighted
New Contributor

Certificate Error when Connecting to SSID w/ 802.1x

Another noob issue coming at ya, lol. 

 

I am getting the following error when connecting to a SSID that's setup with 802.1x through a windows radius server. 

 

Capture1.PNG

 

7205 Controller based wireless system

Guru Elite

Re: Certificate Error when Connecting to SSID w/ 802.1x

If the certificate was issued by a Certificate Authority that the client does not trust (self-signed), the client will generate that error.  For clients that are in a domain, typically you would generate the server certificate from an Enterprise CA that is part of the domain, because the clients automatically will trust that certificate.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Certificate Error when Connecting to SSID w/ 802.1x

The certificate was issues by the Domain Controller to the NPS server. 

If logged in locally the windows laptop I'm able to connect to the SSID but get that error. 

If I login to the laptop with domain credentials it doesn't allow me to even connect to the SSID, just says it couldn't connect, never asks for credentials. 

 

How would this work with macbooks?  Would a different type of certificate be needed in order for the message to not pop up? 

 

Guru Elite

Re: Certificate Error when Connecting to SSID w/ 802.1x

I think you should contact the person who setup the CA and inform them of what is happening so they can let you know how to fix this.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Certificate Error when Connecting to SSID w/ 802.1x

Well , the thing is that I'm the one that setup the CA on the domain controller. I'm just not very experienced with certificates and I'm trying to learn how to do all of this.  

Guru Elite

Re: Certificate Error when Connecting to SSID w/ 802.1x

If it is an Enterprise CA, your clients must trust all of the certificates issued by it.  If it is not, you might have to manually insert it into your domain client's trusted store via a group policy.  https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

 

To find out if your clients trust that certificate or the CA that issues the certificates, on the client go to Start> Run> MMC, click on add/remove snapin and install the certificates snapin.  https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Guru

Re: Certificate Error when Connecting to SSID w/ 802.1x

This is not an error, it's a warning that your client doesn't know whether to trust the RADIUS certificate.

In order to make this work without this message, you either need to be in a fully AD connected environment where your Enterprise Root CA has been pushed to the client prior to connecting to the SSID and the client is part of the Active Directory.

The other option is to pre-configure your Windows clients with the Enterprise CA root, RADIUS server (certificate) name, and authentication settings. In an AD environment, you can push these settings and certificates via group policies, for non-AD systems that is where tools like ClearPass Onboard or Mobile/Enterprise Device Management (MDM/EMM) tools come in the scope.

 

The underlying security issue is that there is no binding between the SSID and the RADIUS server certificate. You can check this old blog post for more background.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: