Wireless Access

Hi guys. We have dot1x authentication against a Radius server. There is no termination enable in controller. Customer will need to manually create a wifi profile in their pc, and uncheck the validate server certificate. There are a question from customers;

1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

    What was the actual process that happen when no "validate server certificate" in wifi profile?

2. What will happen on the window client when the radius renew the server certificate:

                A) with “validate server certificate” checked

                B) without “validate server certificate” checked.

Tim, it is private cert.

Then you would need to manually install the root (signing) CA on the device, use group policy to push it out, or use a tool like QuickConnect to install it.

Clembo

      Refer to item 2,a) with "validate server certificate" checked, with no GPO and domain PC.

                                   what would happen to client if server certificate is renewed at radius as per the following scenario:

                                      i) nothing is checked except "validate server certificate"

                                    ii) with "connect to these server" checked with server name and no check at trusted root certificate authorities

                                           additional condition: a) pointing to right radius

                                                                            b) pointing to incorrect radius

                                  iii) with  a few trusted root CA checked; "connect to these server" unchecked

         Appreciate your answers.

You should not uncheck the "validate server certificate" option.  Although it may solve your connectivity problem, it is good practice to validate and trust the server's idenity (via the certificate).

You should have each client trust the certificate.  The process to do it varies slightly whether it is a public certificate, self-signed, or Active Directory Certificate Services certificate.

---

 

1.Why it was successful for the authentication when no "validate server certificate” in wifi profile?

----because your client does not have it in its list of trusted certificate authorities; so unchecking ignores this.

    What was the actual process that happen when no "validate server certificate" in wifi profile?

----client ignores the certificate presented by the RADIUS server

2. What will happen on the window client when the radius renew the server certificate:

                A) with “validate server certificate” checked

----Depends on the where the certificate was issued from.  It would need to be reloaded to the clients; but again the process may vary.   Domain joined machines can have these settings pushed out through Group Policy; including the trusted certificate.

                B) without “validate server certificate” checked.

----Nothing; but again, you should enable this feature

 

 

---

From a security standpoint, not validating the server's identity is worse than using an open network.