Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I setup redundant Radius Servers without the end user having to accept another certificate?

Posted on 2014-09-19
3
271 Views
Last Modified: 2015-01-07
I have setup a Server 2012 R2 NPS server as my radius server for our authentication on our wireless network.  I am also using a internal MS Certificate Authority to deploy certificates to all of our domain computers.

Our domain computers connect great using their certificate and end users don't see any certificate prompts to accept the certificate.  I could easily setup a redundant radius server for this because they don't need to accept the certificate.

The issue is that we also have several thousand non-domain devices that I have no control over so these users must accept the certificate before connecting.  These users get the prompt depending on their device.

I could find no way to get a non-domain Windows 7 or 8 computer to connect to our 802.1x network with first setting up the network in manage wireless networks and disabling the certificate checking.  They will not even give me the option to approve the certificate unless I do this.  Is this right??  It seems strange it won't even allow the end user the option to approve the certificate.  Every other OS seems to give this option just fine.  I got around this issue by getting a certificate from an external CA and now these non-domain computers get the prompt to accept the certificate without presetting up the network.  The issue I have now is that now my domain users also have to get this same prompt on their domain computers (when authenticating as the user not computer) because they don't automatically trust this external CA like the internal one.  I really don't want to add the external CA to the "ntauth" so it they trusts all certs from this CA.  What do others do in this situation?

Well that should be a good background of the setup.  Now I am looking for a way to setup a redundant radius server.  How can I setup a redundant radius server so when it is used, the end user (non-domain no control over their computer and don't want to make them setup their wireless network before connecting) doesn't have to accept another certificate for another server?  It would also be great if I didn't have to buy an additional certificate from a external CA.

Thank you for your time.
0
Comment
Question by:gacus
  • 2
3 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40332516
If you don't install the root CA certificate [for the certificate which is being presented by the RADIUS server] on the client you will receive a warning which prompts the user to manually verify the certificate and accept its validity.

If you uncheck the "Validate server certificate" box the client simply accepts that a certificate was provided and continues with EAP negotiation.

The most complete (and technically correct) way to do this is to install the root CA certificate on the client and configure the WLAN security settings on the client-side to validate the server certificate and check the box for the relevant CA from the list.
0
 
LVL 1

Author Comment

by:gacus
ID: 40332578
Although what you state is true, I am not sure you read all of my post.  Why do the non-domain Windows 7/8 computers not even allow my end users the possibility to accept the certificate?  Windows just says there was and error and doesn't allow them to connect.  The only way I could even get them to connect was to "uncheck the "Validate server certificate" which is not an option so I had to use an external CA instead.  iOS, Android and OSX non-domain all work fine with the internal CA cert and just give the prompt to accept the cert, but Windows 7/8 non-domain computers just fail to connect with an error.  Why is this?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 40332794
I did read all your post.

The non-domain machines are working as per their design.  If you don't validate the certificate EAP fails.  The fact that you used an external CA proves the point about validation.

In a domain environment where you issue certs from the local CA the trust is implicit already so validation details are automatic.  With non-domain machines you have to manually set the parameters as defaults don't work immediately.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question