[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Third Party Certificate Not Verified when connecting via EAP-PEAP

Posted on 2013-12-22
10
Medium Priority
?
4,953 Views
Last Modified: 2013-12-28
We have a AAA server based on Windows Server 2008, and got everything configured correctly, and went ahead and purchased an SSL Certificate from Godaddy so that our wireless customers wouldn't get any issues connecting.

Wireless Security is EAP-PEAP (WPA2-Enterprise), and the Controller is Cisco WLC.

The issue is after successfully installing the certificate to the server, the clients are getting this error message:

The server "XXXXX" presented a valid certificate issued by "Go Daddy Class 2 Certification Authority", but "Go Daddy Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server "XXXXX" is not configured as a valid NPS server to connect to for this profile.

The certificate works fine when connecting via HTTPS or Remote Desktop, but when connecting via wireless, it throws the above error, yet giving the clients the option to "Connect" or "Terminate", but that freaks some of them out.

Bear in mind that all devices (iPhones, iPads, Android Windows 7) have the "Not Verified" warning that pops, but each with its own details, so it's not only a Win7 issue.

Note that we've purchased a third party certificate to avoid getting any warning, but that's what we ended up with.

How can I solve this issue?
0
Comment
Question by:slinky9111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 4

Expert Comment

by:askincakir
ID: 39735569
Hi,
Did you configure NPS to use the new certificate for PEAP in profile ?

Br,
0
 

Author Comment

by:slinky9111
ID: 39735601
Hi,

Ofcourse, or else how did the clients successfully connected after clicking connect.

And how did the certificate end up being read by the client when connected.

It's because it's been selected from NPS, and by the way, the AAA server is not MS NPS, but is Aradial, but again, the certificate is selected to be used with our clients.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39736460
I know there used to be issues with GoDaddy certificates if the complete certificate chain wasn't present on the client device.  IIRC the Intermediate CA certificate was missing.  This may be what you're experiencing.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:slinky9111
ID: 39736999
Ok, I've downloaded the Intermediate Certificate from Godaddy, and imported it into the server.

So are you telling me that the Intermediate Certificate is missing form the Server or from the Client?

If it's missing from the Server, then I must be placing it in the wrong location.

But if you're saying that it's missing from the Client machine, then I'm guessing that every Certificate is going to miss the intermediate certificate, because only the CA is present in the Client machine and not the Intermediate.

I'm no expert in Certificates, and this is my first purchased certificate to be used in AAA, so is there another provider that provides something different?

Correct me if I'm wrong, because I'm a bit confused here.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39737093
The intermediate certificate needs to be trusted by the client, therefore every client needs the Intermediate certificate.

This kind of explains the issue...

https://supportforums.cisco.com/thread/2203638
0
 

Author Comment

by:slinky9111
ID: 39742664
It says in the link you provided that it needs to trust the CA not the intermediate.

It also says that it's an issue with windows machines, but it's not, all devices has the same behaviour.

But what makes me think there's still a solution, (because you're almost saying there isn't), is that the clients connect to the same server, using the same certificate without any warnings, using other protocols, like when using HTTPS or Remote Desktop, yet has an issue with PEAP.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 39742691
Yes there is a solution - install the intermediate certificate on the client.

The client will only trust the CA certificate if it also trusts the intermediate certificate.  As I said, this is a known issue with GoDaddy certificates.  The client needs to trust a chain of certificates or the chain is broken and identity verification will not work.

http://blogs.citrix.com/2010/01/20/how-to-fix-godaddy-server-certificate-trust-issue-on-safari-and-iphone/

http://hunterford.me/godaddy-ssl-certificate-and-chrome/

http://www.chicagotech.net/wireless/wifi-enterprise1.htm
(This is for a different issuing CA, but the same problem)
0
 

Author Comment

by:slinky9111
ID: 39742843
Ok, so the issue is with Godaddy certificate generated from an intermediate certificate.

So, is there any provider that issues certificates from a CA directly?

That's because it's impossible to download the certificate to the client devices in our case.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39743258
There are plenty...

Digicert, Verisign, Thawte, Comodo, to name a few.
0
 

Author Comment

by:slinky9111
ID: 39744061
Thanks for the answers, appreciate the effort
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This program is used to assist in finding and resolving common problems with wireless connections.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question