Certificate warning when connecting to a 802.1x wireless network

I purchased a certificate from digicert to use for our 802.1X wireless network.  I have setup a Server 2012 R2 NPS and added the cert to the server, but both my Windows and my OSX clients still display a message to accept the certificate.  I have checked the cert store on the Windows Clients and the digicert root ca cert is there as it is included on all windows clients with recent updates installed.

I have tested this on OSX Lion and Windows 8.1.  I am about to test it on a Windows 7 machine as well.

I needed to use a public CA certificate because we are a college campus and we have students who bring their own devices I don't have control over so I can't use Group Polices to push our MS certificate to them.

This seems like it should just work with the public CA cert.  Any ideas why it isn't just trusting the certificate?  I have also been trying to find some logs to determine where it denies the certificate but I don't see anything for that.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you screenshot what they see?
gacusAuthor Commented:
gacusAuthor Commented:
Here are the screenshots
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

gacusAuthor Commented:
here is a client showing the digicert in the trusted root store
Try to run the Digicert cert checker on your IAS server to check the intermediate certs?

gacusAuthor Commented:
I used the downloaded tool and it verifies correctly on my nps server.

So far everything I have read says these prompts are normal since radius has no way of verifying that you are connecting to the correct server so it must show you the prompt so you can trust it.  The only way to ge around this on is to push the car cert into the ntauth certificate store on Windows which wouldn't work for this since I have no control over the users computer.    It looks like a limitation of 802.1x.
Craig BeckCommented:
This is actually an issue with MS' implementation of 802.1x and Certificate Trusts.  It's not a limitation of 802.1x - it's doing what it should do.

There are lots of 'fixes' suggested by Microsoft and other vendors such as using Intel PROSet tools to manage the wireless connection on the device, or importing the certificate into the NTAuth store (as you already discovered) but there's probably nothing you can do if you don't manage the devices.
gacusAuthor Commented:
The issue occurs on osx and ios as well.  After learning more about how it works,  I agree completely with MS and Apple about the prompts.  Without them there is absolutely no way to be sure you are connecting to the network you think you are.  To have a secure 802.1x network you have to pre-configure your clients which works great in a corporate world but not so much in a byod world.
Craig BeckCommented:
I can see where you're coming from and It may be the same on OSX and IOS too, but that's because it's a supplicant issue, not a 802.1x issue.  You can easily tell the supplicant to not trust the certificate even if you have a certificate in the chain in your own store.  Some supplicants don't trust certificates in this way by default and in a MS environment you have to tell a GPO which CA certificates to trust manually - the client doesn't trust anything by default when using EAP to connect.

Trust relationships are supposed to mitigate the need for the user to accept a prompt and in your case the prompt tells the user that the certificate isn't trusted, so there is a problem with the certificate chain somewhere.  That doesn't mean that 802.1x is broken, but rather the opposite.  The fact that you wouldn't know whether you're connecting to the correct network or not doesn't mean anything is broken either.  Trust means accepting what someone tells you.

Regardless of whether you want to pre-configure clients is irrelevant.  There are now solutions which help you on-board BYOD clients so that issues such as this are less apparent.  When BYOD first hit the scene this was a major bugbear, along with having to manually deploy profiles to devices.  In any case you will inevitably always need to trust the RADIUS server's certificate at some point though until onboarding is complete (if using a secure transport method) or the whole concept of trust in X.509 certificates would be rendered obsolete.

In an enterprise 802.1x network you usually use your own PKI so trust issues are a lot less of an issue and in 99% of installations you won't ever see prompts to trust certificates if the chain is complete.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gacusAuthor Commented:
craigbeck and I were saying basically the same thing, but craigbeck's wording went into much better detail.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.