WLAN Server Certificate for Microsoft RADIUS/IAS

  • 1
  • Question
  • Updated 11 months ago
  • Answered
Hey guys..

We have all of our SSIDs using 802.1X with our internal certificate.
Everything seems ok, users are able to configure their devices with our how-to's. We have been running this way for almost three years now and there has been a single thing that I always wanted to understand better and for that I'am asking for your help.

Every user has to accept the certificate when he/she connects for the first time or should be just for the first time or when the certificate is renewed.
The certificate is not verified (valid, its our internal CA) so there is that "red" alert message that seems horrible!

Ok I understand the point of that.

My question, there is this WLAN Server Certificate for Microsoft RADIUS/IAS that Verisign used to sell (more details here http://www.verisign.com/static/DEV004...). If we buy this certificate and use it on our Radius servers, will this message stop?

Another question regarding our currently scenario. Our certificate has 1 year expiration date. We have been notified by some users that are not connecting regularly to the WiFi, for instance he connects on Monday and again just on Friday, and every time he has to accept the certificate. On the other way, I connect my iPhone every work day so I rarely see the "red alert" message of untrusted certificate.
This is something related to the specific user's connection? Something maybe related to the PMK timeout? What could it be?

Thanks.
Cheers.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes

Posted 3 years ago

  • 1
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 760 Posts
  • 163 Reply Likes
Hi Odilo Junior,

When anyone uses a selfsigned cert then you are bound to see errors on browsers as browser follows trusted CA which your selfsigned cert is NOT. this is common.

Once you buy trusted CA from verisign or anyother trusted CA like godaddy and if implemented correctly then users will not see the errors which you mentioned.

Your last question is a peculiar issue, it may be a browser issue specific to that user however you can start with adding the selfsigned cert into browser's exception list. Once correctly added you should not see and bypass the error.

http://www.poweradmin.com/help/sslhin...

Hope this helps.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Hi Monnat, thanks for the answer.

The thing is.. this is not on the browser.. we are not using hotspot or auth through browser..

This messages appears when the users select our 802.1X SSID, inform the username/password and the device do not trust the certificate, as it is self signed.. for instance an user's iPhone.
I understand that a valid SSL certificate would not show the error on authentication using the web browser. That's why I wanna understand the difference between a simple SSL certificate and the WLAN Server Certificate for Microsoft RADIUS/IAS.

By the name and the details about it in the PDF, it seems this could fix the issue but I want to confirm if there is anyone that already bought that type of certificate or anyone that have the experience with this type of certificate and if it really could fix the issue.
Of course we don't want to buy expecting to solve the issue and after implement we see the message again.

The Last question was regarding on the same certificate scenario, using 802.1x with self signed certificate on an iPhone/Android.
Photo of James Anderson

James Anderson

  • 4 Posts
  • 0 Reply Likes

That depends on if you use EAP-MSCHAP v2 or EAP TLS in your 802.1x authentication.

When you connect to the wireless using 802.1x authentication (EAP-MSCHAP v2) , the certificate on your RADIUS service encrypts the session to the client (just like a web page uses an SSL cert to encrypt a browser session).  Only the RADIUS server is required to have a certificate.  This type of session commonly asks for a username and password to complete the MSCHAP v2 authentication.  It also generates a check on the certificate just like a browser checks an https connection (unless the profile specifies otherwise).  Because you are using an internal certificate authority (CA), the CA's certificate is not present in the end device's certificate store as a trusted root certificate authority (unless you are using an enterprise CA and it is a domain computer).  Most devices alert you to this and allow you to import the certificate at that time when you accept it (i.e. first time you connect).  For this authentication type, the certificate only needs an enhanced key usage:

Server Authentication (1.3.6.1.5.5.7.3.1)

If you are connecting using 802.1x authentication (EAP-TLS) then a certificate must reside on both the server and the client and the session is authenticated using the certificates at both ends.  In this case, both certificates must do both Server authentication and client authentication and the certificates used must be trusted on both the RADIUS and client.  For your domain computers, you can look at a computer/user certificates and see the "Enhanced Key Usage" includes:

Client Authentication (1.3.6.1.5.5.7.3.2)

Server Authentication (1.3.6.1.5.5.7.3.1)

The RAS and IAS certificate template also contains both client and server authentication. 

This allows domain computers to work great with an internal enterprise CA because the CA's certificate gets pushed to all domain computers as a trusted root CA.

Since you are using EAP-MSCHAP v2 then you only need the one cert for the RADIUS.  Yes, a 3rd party web cert will work with RADIUS.

1. 3rd party web certs will include server authentication.  Almost all include both server and client authentication.

2. 3rd party certs cannot include unregistered domain names (i.e. myserver.mydomain.local).  You can only get certs for your internet registered domain name (i.e.myserver.mydomain.com).  There will be a verification email to the contacts of your internet registered domain name.

3. The RADIUS doesn't work with the wildcard *.mydomain.com certificate.  It needs to be a fully qualified domain name (i.e. myserver.mydomain.com).


Photo of Stephan de Meulmeester

Stephan de Meulmeester

  • 8 Posts
  • 4 Reply Likes
I have the same certificate Warnings on my apple devices as Odilo Junior.   My setup is NPS Radius authentication/  EAP-MSCHAP v2 with Ruckus Unleashed. I have made a CSR from my IIS and bought a public Comodo certificate. My apple device, with IOS 10, contains the needed CA certificate considering the Apple website https://support.apple.com/nl-nl/HT207177   


I googled the whole internet but didnt  find a solution. any help would be much appreciated!

Greetings Stephan
(Edited)