Solved

certificate warning with NPS and Digicert...

Posted on 2011-09-22
5
2,180 Views
Last Modified: 2012-05-12
Wondering if anyone has run into something like this before. I have Radius (NPS) working well and a profile configured to use a Universal Communications cert from Digicert. The only issue I have is when you connect you get a warning that says:

"The server radius.domain.com presented a valid certificate issue by Digicert High Assurance EV Root CA, but  Digicert High Assurance EV Root CA is not configured as a valid trust anchor for this profile."

Now I can easily go in and create a manual profile and select the server, Root CA and intermediate cert and it won't give me the warning but I was hoping that there is a way to prevent this so my domain users can just double-click on the network and off they go.

Does anyone know of a way to avoid that warning without manual intervention?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584712
You just need DigiCerts Root and intermediate CA certificates installed in the trusted root store and intermediate store of your client machines.

There are a few different ways to do it.

You can push them out with a GPO.

You can install a Microsoft update that includes the latest list of trusted root certs

You could install them manually.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36584891
well I had setup a test client and I had installed them manually into those stores on this one but it still gets the warning when I just double-click on the new network. If you open up the settings of the EAP on the wireless profile only one of the Digicert certificates is selected, but if you check the server one and the other Digicert it's fine.

I was thinking that I could make a GPO that would push out the Wireless network with the settings I needed and sort of pre-check the certs so they were warned. Then it would be there for them too, they would just have to click on it.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36585110
You're right. I forgot about the settings on the PEAP properties page. In my environment group policy is used to set wireless parameters. So yes, you could do that.

When I get back to the office tomorrow I'll take a look at my settings. I remember having this problem with a non-domain laptop but don't remember what the resolution was.

Have you tried unchecking "Validate Server Certificate" you may not want to leave it that way but just as a test. That might be what I did for the contractor with the non-domain laptop.

I'll follow up tomorrow.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36586814
yeah, it will work without any intervention at all if I uncheck the validate box. However, I was just going for as secure as possible so I was trying to get it so that was checked but there was no warning.

I have the policy setup for domain users/computers and then a GPO that pushes out the certificates to the right stores. If you create the wireless network manually and then select the 2 Digicert ones and the server one then there are no issues, but I was hoping to have this automatic so a wireless network didn't have to be created manually.  
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36588118
On the PEAP settings page is "Connect to these servers:" checked with your radius server listed in the box?

On my settings page when I unselect that it works. Validate server certificate is still checked but the CA's are not selected int the Trused Root Certification Authorities. Not sure why that works but it does.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question