authincate win 7 machines using A mangerhive CA can it be done with out using radius on the network server

  • 1
  • Question
  • Updated 4 years ago
  • Answered
What is the best way to authenticate win 7 machines without using network resources
Photo of Chris Craig

Chris Craig

  • 10 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you want the users to authenticate against Active Directory on the corporate LAN but not have to deploy a RADIUS server or service (Microsoft NPS, for example) then you can utilise the integrated RADIUS service in each Aerohive access point.  If you utilise the HiveManager CA then you will need to "push" the HiveManager root certificate to each Windows 7 client or they will not trust any certificates signed by the HiveManager CA.  If you can't "push" the HiveManager root certificate to each Windows 7 clients then you could obtain a certificate from a public CA, such as VeriSign, and import it into the HiveManager.  When you can configuring the RADIUS service specify that the public CA certificate should be utilised and the Windows 7 clients will automatically trust it.  However, as your client are Windows 7, the users will need to manually configure the wireless profile to support the EAP type specified in the RADIUS service; PEAP MSCHAPv2, for example; otherwise they will not connect.  Normally this is done with Group Policy but in your case this may not be possible.

If you don't want the users to authenticate against Active Directory on the corporate LAN you could utilise local RADIUS accounts or Private PSKs.  Private PSK authentication does not require the RADIUS service so will be the easiest to implement.  If you decide to head down the Private PSK route you need to have a serious look at whether they provide an appropriate security level for the resources that will be accessible - long passphrases with small letters, capitals, numbers and special characters are strongly recommended.  The "gotcha" of Private PSKs is that a third party who has physical access to one of your Windows 7 laptops will be able to obtain that user's passphrase (Start -> Control Panel -> Network and Sharing Center -> Manage Wireless Networks -> [SSID] -> Properties -> Security -> Show characters).
(Edited)
Photo of Chris Craig

Chris Craig

  • 10 Posts
  • 0 Reply Likes
I do have RADUIS the school has 2 host server 2012 and AD. the MAC's have no problem loging onto the the APs but the Win 7 machines are a little more sensitive and need me to set up RADUIS. Was looking for a secure work around. Just got the Aerohive today we currently use Aruba. Not sure what is required to setup the Aerohive on RADIUS. Do you know any reading or video that can walk me through the steps? I have students that only need server services like printers and KMS. I have staff that need full access. Printers and projectors and the easy guests. For the staff and students I want the WiFi to be seamless.  Thank you for your help
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Have you utilised group policy to "push" the 802.1X wireless profiles to the Windows 7 clients?

In terms of utilising the integrated RADIUS service have a look at https://community.aerohive.com/aerohive/topics/can_someone_provide_me_with_a_step_by_step_guide_for_...

If you users to seamlessly authenticate with Active Directory then you will need a SSID with 802.1X authentication.  The 802.1X authentication is configured through a RADIUS service and, as you have Windows clients, you really have two options:

  1. PEAP MSCHAPv2.  PEAP MSCHAPv2 only requires certificates to be installed on the RADIUS server.  Not as secure as EAP-TLS but, if it is configured correctly, it is more secure than PSK authentication.
  2. EAP-TLS.  EAP-TLS requires both server and client certificates so you will need a PKI infrastructure.  If the school is relatively school (i.e. it is not a university or equivalent) it will most likely not have a PKI infrastructure.
If you are going to have a complex authentication system (i.e. you will have a large number of use case scenarios) then I would recommend utilising an external RADIUS service, such as Microsoft's NPS.
(Edited)