[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Certificate warning when connecting to a 802.1x wireless network

Posted on 2014-07-10
10
Medium Priority
?
1,761 Views
Last Modified: 2014-09-19
I purchased a certificate from digicert to use for our 802.1X wireless network.  I have setup a Server 2012 R2 NPS and added the cert to the server, but both my Windows and my OSX clients still display a message to accept the certificate.  I have checked the cert store on the Windows Clients and the digicert root ca cert is there as it is included on all windows clients with recent updates installed.



I have tested this on OSX Lion and Windows 8.1.  I am about to test it on a Windows 7 machine as well.

I needed to use a public CA certificate because we are a college campus and we have students who bring their own devices I don't have control over so I can't use Group Polices to push our MS certificate to them.

This seems like it should just work with the public CA cert.  Any ideas why it isn't just trusting the certificate?  I have also been trying to find some logs to determine where it denies the certificate but I don't see anything for that.
0
Comment
Question by:gacus
10 Comments
 
LVL 3

Expert Comment

by:Sid6_7
ID: 40188818
Can you screenshot what they see?
0
 
LVL 1

Author Comment

by:gacus
ID: 40188909
0
 
LVL 1

Author Comment

by:gacus
ID: 40188911
Here are the screenshots
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:gacus
ID: 40188984
here is a client showing the digicert in the trusted root store
trustcerts.PNG
0
 
LVL 5

Expert Comment

by:acesover2000
ID: 40189093
Try to run the Digicert cert checker on your IAS server to check the intermediate certs?

http://www.digicert.com/help/
0
 
LVL 1

Assisted Solution

by:gacus
gacus earned 0 total points
ID: 40189352
I used the downloaded tool and it verifies correctly on my nps server.

So far everything I have read says these prompts are normal since radius has no way of verifying that you are connecting to the correct server so it must show you the prompt so you can trust it.  The only way to ge around this on is to push the car cert into the ntauth certificate store on Windows which wouldn't work for this since I have no control over the users computer.    It looks like a limitation of 802.1x.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40191458
This is actually an issue with MS' implementation of 802.1x and Certificate Trusts.  It's not a limitation of 802.1x - it's doing what it should do.

There are lots of 'fixes' suggested by Microsoft and other vendors such as using Intel PROSet tools to manage the wireless connection on the device, or importing the certificate into the NTAuth store (as you already discovered) but there's probably nothing you can do if you don't manage the devices.
0
 
LVL 1

Assisted Solution

by:gacus
gacus earned 0 total points
ID: 40191626
The issue occurs on osx and ios as well.  After learning more about how it works,  I agree completely with MS and Apple about the prompts.  Without them there is absolutely no way to be sure you are connecting to the network you think you are.  To have a secure 802.1x network you have to pre-configure your clients which works great in a corporate world but not so much in a byod world.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 40192107
I can see where you're coming from and It may be the same on OSX and IOS too, but that's because it's a supplicant issue, not a 802.1x issue.  You can easily tell the supplicant to not trust the certificate even if you have a certificate in the chain in your own store.  Some supplicants don't trust certificates in this way by default and in a MS environment you have to tell a GPO which CA certificates to trust manually - the client doesn't trust anything by default when using EAP to connect.

Trust relationships are supposed to mitigate the need for the user to accept a prompt and in your case the prompt tells the user that the certificate isn't trusted, so there is a problem with the certificate chain somewhere.  That doesn't mean that 802.1x is broken, but rather the opposite.  The fact that you wouldn't know whether you're connecting to the correct network or not doesn't mean anything is broken either.  Trust means accepting what someone tells you.

Regardless of whether you want to pre-configure clients is irrelevant.  There are now solutions which help you on-board BYOD clients so that issues such as this are less apparent.  When BYOD first hit the scene this was a major bugbear, along with having to manually deploy profiles to devices.  In any case you will inevitably always need to trust the RADIUS server's certificate at some point though until onboarding is complete (if using a secure transport method) or the whole concept of trust in X.509 certificates would be rendered obsolete.

In an enterprise 802.1x network you usually use your own PKI so trust issues are a lot less of an issue and in 99% of installations you won't ever see prompts to trust certificates if the chain is complete.
0
 
LVL 1

Author Closing Comment

by:gacus
ID: 40207119
craigbeck and I were saying basically the same thing, but craigbeck's wording went into much better detail.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question