3rd party certificate

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have been tasked with modifying our employee ssid in such a way so that someone could authenticate to the network on a device that hasnt been added to the domain (byod). 802.1X is a bit out of my wheelhouse but I've been combing the forums and it seems like a 3rd party cert on our RADIUS-enabled APs is the way to go? If so then how do you go about getting the 3rd party validation for the radius AP if it is on your internal network (i.e. accesspoint.domain.local)?
Photo of Jared Bloomberg

Jared Bloomberg

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Rusty Wyatt

Rusty Wyatt, Technical Support Engineer

  • 14 Posts
  • 15 Reply Likes
Official Response

What types of devices are you planned to connect to this 802.1X SSID?  

Generally speaking 802.1X authentication (WPA/2-Enterprise) is just that - it's designed for enterprise deployments.  The assumption there is that it will be used for for devices that you ultimately control - perhaps you own them or your control them through some sort of GPO (or similar) based control mechanism.  This is important because some devices, regards of certificate validation by third party Certificate Authorities, will not, by default, trust even a properly signed and certified certificate.  This generally impacts Windows 7, Vista and XP computers as they will not trust CA's that do not exist in their NTAuth store and those machines will not allow a connection to a SSID that it cannot validate.  Ultimately, if you do not control the computer, you cannot affect a change to the NTAuth store on those machines.  

If you are using iOS, OSX or Windows 8 or later devices, you will experience various degrees of success with a properly signed and trusted certificate.  Some will connect without error and some will prompt the user with a message indicating the certificate is valid, but it is not in the trust store that is used for computer and/or user authentication asking for permission to proceed.  In any case, some devices, regardless of how thorough you are in configuring the system and certificate, will give your users a message that they may not completely understand - or in some cases, simply fail to connect (Windows 7 and earlier).  

If you need a truly seamless and non-error message prone solution to client authentication for devices that you do not own, Aerohive offers several solutions that can be leveraged for this type of installation.  The first being Private-PSK which works around this problem by providing each client/user their own Pre-Shared Key to associate to a given SSID.  Alternatively, you can use a CWP (Captive Web Portal) that performs 802.1X user authentications against a RADIUS server on an Open or Pre-Shared Key based SSID.  Finally, we have recently begun to offer a Client Management solution that can be used to facilitate connectivity of non-owned mobile devices to a corporate or guest network.  In addition to these options, we also offer IDManager which can be used to control access to your corporate or guest network by non-company owned devices through a simplified, common web interface.

In terms of actually using a signed certificate for RADIUS authentications, it is a matter of:

1) Generating a CSR (Certificate Signing Request) via your HiveManager using a common name in a domain name that you control (e.g. raidius.yourdomain.com)**
2) Presenting your CSR to your Certification Authority (CA) of choice.
3) Validating that you own the right to request certificates for that domain name that your CSR contains.  
4) Importing the signed certificate the CA provides you following your validation process.
5) Importing the CA chain (the root CA and any Intermediate CA used to sign your server certificate) into HiveManager.
6) Associating these certificates and the private key (created as a part of the CSR generation) to your RADIUS server object in HiveManger.

** Do not use wildcard certificates for RADIUS servers.  Windows supplicants read the asterisk as a literal name and will fail certificate validation.