ipads and smart phones will not connect username password using radius apple Macs connect fine dell win 7 will not connect Help new WiFi

  • 1
  • Question
  • Updated 4 years ago
  • Answered
ipads and smart phones will not connect username password using radius apple Macs connect fine dell win 7 will not connect win 8.1 will Help new WiFi
Photo of Chris Craig

Chris Craig

  • 10 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
What are you using for the RADIUS server? Are the Windows Devices part of the Domain? 
Photo of Chris Craig

Chris Craig

  • 10 Posts
  • 0 Reply Likes
the aerohive AP 230 RADIUS. yes WIN are part of the domain WIN 8.1 works fine win 7 machine not so good
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
So the AP230 it the RADIUS Server, so that means that the RADIUS Server will be presenting the Server Certificate to the clients, which is not trusted by the client. 

You really have 3 options
1. Purchase 3rd Party CA signed Certificate
2. Download Server Certificate to the device as a trusted certificate
3. Disable validation of certificate in the 802.1X Supplicant. 

This thread might help you... https://community.aerohive.com/aerohive/topics/supplicants_validation_of_certificates_for_802_1x
(Edited)
Photo of Chris Craig

Chris Craig

  • 10 Posts
  • 0 Reply Likes
thank you fro your help
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
Chris - if you need more assistance I created a Doc on how to do step 3. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
3. Disable validation of certificate in the 802.1X Supplicant.

This advice is only to be used while testing to understand the nature of 802.1X or a fault.

You should never disable certificate validation in production as it opens your network to significant vulnerability. Conceptually, it is easier to break than WEP when certificates are not validated via an active attack.

Where a username/password based inner-EAP type is used, it is normally possible to extract this, usually with the assistance of something like CloudCracker.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
well stated!

I use the intel pro-set supplicant for win 7 as it supports eap-gtc and works a whole lot better then the built in windows supplicant. So depending on your wireless network card there may be a 3rd party supplicant that makes things easier but still secure.

1. Purchase 3rd Party CA signed Certificate

will cost a couple of hundred USD, but less time consuming then other options.

but it should be from a CA that is in the preloaded trusted CAs for your different device vendors.
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
Can you export the cert from HiveManager and add to your GPO? 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The best thing to do is to have your PKI infrastructure outside of anything Aerohive in this regard and to import a certificate. Tools exist to help you configure client supplicants correctly too.
(Edited)
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
Understood.  Thanks