[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

certificate warning with NPS and Digicert...

Posted on 2011-09-22
5
Medium Priority
?
2,282 Views
Last Modified: 2012-05-12
Wondering if anyone has run into something like this before. I have Radius (NPS) working well and a profile configured to use a Universal Communications cert from Digicert. The only issue I have is when you connect you get a warning that says:

"The server radius.domain.com presented a valid certificate issue by Digicert High Assurance EV Root CA, but  Digicert High Assurance EV Root CA is not configured as a valid trust anchor for this profile."

Now I can easily go in and create a manual profile and select the server, Root CA and intermediate cert and it won't give me the warning but I was hoping that there is a way to prevent this so my domain users can just double-click on the network and off they go.

Does anyone know of a way to avoid that warning without manual intervention?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36584712
You just need DigiCerts Root and intermediate CA certificates installed in the trusted root store and intermediate store of your client machines.

There are a few different ways to do it.

You can push them out with a GPO.

You can install a Microsoft update that includes the latest list of trusted root certs

You could install them manually.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36584891
well I had setup a test client and I had installed them manually into those stores on this one but it still gets the warning when I just double-click on the new network. If you open up the settings of the EAP on the wireless profile only one of the Digicert certificates is selected, but if you check the server one and the other Digicert it's fine.

I was thinking that I could make a GPO that would push out the Wireless network with the settings I needed and sort of pre-check the certs so they were warned. Then it would be there for them too, they would just have to click on it.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36585110
You're right. I forgot about the settings on the PEAP properties page. In my environment group policy is used to set wireless parameters. So yes, you could do that.

When I get back to the office tomorrow I'll take a look at my settings. I remember having this problem with a non-domain laptop but don't remember what the resolution was.

Have you tried unchecking "Validate Server Certificate" you may not want to leave it that way but just as a test. That might be what I did for the contractor with the non-domain laptop.

I'll follow up tomorrow.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 36586814
yeah, it will work without any intervention at all if I uncheck the validate box. However, I was just going for as secure as possible so I was trying to get it so that was checked but there was no warning.

I have the policy setup for domain users/computers and then a GPO that pushes out the certificates to the right stores. If you create the wireless network manually and then select the 2 Digicert ones and the server one then there are no issues, but I was hoping to have this automatic so a wireless network didn't have to be created manually.  
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 2000 total points
ID: 36588118
On the PEAP settings page is "Connect to these servers:" checked with your radius server listed in the box?

On my settings page when I unselect that it works. Validate server certificate is still checked but the CA's are not selected int the Trused Root Certification Authorities. Not sure why that works but it does.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question