Wireless Access

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

The first time a device connects, there is no way to disable it.  It as presented so that the user can validate what they are connecting to, and that their credentials are not being stolen by an "evil twin" network.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

is that the same behaviour regardless of what cert you have self signed vs public?
Original Message:
Sent: Aug 10, 2022 04:16 PM
From: Colin Joseph
Subject: EAP-PEAP

The first time a device connects, there is no way to disable it.  It as presented so that the user can validate what they are connecting to, and that their credentials are not being stolen by an "evil twin" network.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.

Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

My further question is I have a Samsung phone if I forget the network, I do not need to trust the cert. This device is not a managed device. 
I have iphone that is managed by JAMF, if I forget the network and connect I need to trust the cert for the first time. 
Is this behaviour different per manufacture and device?
Original Message:
Sent: Aug 11, 2022 05:56 AM
From: Bruce Osborne
Subject: EAP-PEAP

If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.

Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

Yes, the behavior is different per device, and that is exactly the reason why you should never use EAP-PEAP in BYOD like situations.

Some devices prompt the user for a certificate, others even don't, and if there is a rogue authentication server users will likely leak their user credentials.

If you have an MDM (you mention JAMF), make sure that you push the RADIUS server's root CA (a private PKI certificate is recommended for EAP), and strictly control the certificate trust and make sure that users cannot accept a rogue server certificate. Without an MDM or proper provisioning tool, you should not deploy PEAP-MSCHAPv2.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 11, 2022 06:13 AM
From: Inzamam Shahid
Subject: EAP-PEAP

My further question is I have a Samsung phone if I forget the network, I do not need to trust the cert. This device is not a managed device. 
I have iphone that is managed by JAMF, if I forget the network and connect I need to trust the cert for the first time. 
Is this behaviour different per manufacture and device?
Original Message:
Sent: Aug 11, 2022 05:56 AM
From: Bruce Osborne
Subject: EAP-PEAP

If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.

Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

An iPhone managed by JAMF should have has a network Profile containing the certificate chain pushed out to the device. It would then trust the certificate with no prompt to the users. We do that with our iPads. The configuration in JAMF should be the same. JAMF already pushes out its own Profile for management purposes. The wireless one would just be another Profile on the device.

We trust the certificate chain rather than the server certificate. That permits updating the server certificate and no clienta are affected if the new certificate uses the same certificate chain of trust.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Aug 11, 2022 06:13 AM
From: Inzamam Shahid
Subject: EAP-PEAP

My further question is I have a Samsung phone if I forget the network, I do not need to trust the cert. This device is not a managed device. 
I have iphone that is managed by JAMF, if I forget the network and connect I need to trust the cert for the first time. 
Is this behaviour different per manufacture and device?
Original Message:
Sent: Aug 11, 2022 05:56 AM
From: Bruce Osborne
Subject: EAP-PEAP

If trying to connect to an EAP-PEAP 802.1X SSID without using any onboarding software beforehand, you will need to accept the certificate regardless of whether it is public or private. The SSL certificate trusts do not appluy to the RADIUS servers.

Many, including our institution, use an open SSId with a captive portal and some onboarding siftware such as ClearPass Onboard or SecureW2.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,

It has been my experience that Apple devices will require a certificate validation, no matter the certificate, self signed or public.

------------------------------
Bruce Entwistle
Network manager
University of Redlands
------------------------------

Original Message:
Sent: Aug 10, 2022 10:37 AM
From: Inzamam Shahid
Subject: EAP-PEAP

Hi, 

If you have an 802.1x SSID where you are doing EAP-PEAP authentication. On CPPM for example, you can have a self signed cert or you can have a public cert either would work. When you submit your credentials you are prompted to validate the server certificate. Is prompting the server certificate the same if you have a public cert or a self signed cert?
I am testing the behaviour and it is the same on both instances. 
Is there anyway around of having to trust the certificate and automatically connect?

Thanks,