Supplicants validation of certificates for 802.1x

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi,

I am setting up my first RADIUS 802.1x network and have a general query about connecting a Windows 7 client.

I can successfully connect Apple and iPhone clients as they seem to accept and install the certificate automatically.

On a windows client I can also only successfully authenticate and connect to the internet etc only after I deselect the "Validate Server Certificate" in the "Protected PEAP Properties" section of the Manage Wireless Network Properties options.

However, when I have installed the Default_CA.pem (.cer) to the Trusted Certificates section so Hivemanager appears in the above Validated Server list, it does not allow the validation to let me onto the network.

I am wondering firstly, if I need to install a certificate on all Windows clients?
and secondly do I just install the Default_CA.pem or do I need to create a new Default_CA.pem with other credentials?
Are there other certificates that I should also install?

Thanks in advance!
Jason
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
  • sure it is simple

Posted 5 years ago

  • 1
Photo of Matthew Gast

Matthew Gast

  • 284 Posts
  • 63 Reply Likes
Hi Jason,

When you run a TLS-based EAP method like PEAP, there are two authentications going on. The RADIUS server presents a server certificate to your supplicant, and once that is validated, the supplicant supplies a username/password combo.

You can pass the RADIUS server certificate validation in three ways. You can accept whatever certificate is presented by the server, you can choose not to validate it (ok, so maybe the first two are similar), or you can install trusted root certificates that enable you to trust the RADIUS server's certificate. Any of these three options lets the supplicant pass the server authentication and proceed to client authentication.

To validate the RADIUS server certificate, you need to trace all the way back to the CA that issued it. If you're using Microsoft NPS, the certificate is the root server in the Microsoft CA.
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
thanks Matthew. I have configured some of the AP121s to function as RADIUS servers which talk to a local LDAP Linux server.

Just to clarify my understanding, since in this case the Aerohive APs are effectively RADIUS servers issuing Server Certs authentication to clients, is the AP the root CA that issued it?

Would I need to modify the default_CA.pem as I have only tried with this out of the box.

Just trying to get an understanding of the levels involved.

Thanks for the fast response Matthew.

thanks
Jason.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Jason,

I had a very similar problem to this, which support helped me resolve. Here is what I had to do:

First, install the Default_CA.pem on your Windows 7 client into Trusted Root Certificates for the Local Computer. You do not need to modify the Default_CA.pem, or at least I didn't, and since it is your root CA, you should not need any other certs installed.

Second, configure your wireless network settings in Windows. When you are in the Properties dialog for the wireless network, click the Security tab. In the middle of the page you will see a Settings button, click that. This is where you unchecked the Validate server certificate. Leave that checked, but in the list of Trusted Root Certification Authorities, scroll down until you see HiveManager and check its box. This allows that SSID to validate using that CA certificate.

It sounds like you have Linux as your directory services, but if you do have Active Directory, this is all easily configured via Group Policy. Mine is setup and works very slick.

Hope that is somewhat helpful.

Shawn
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Thanks for that Shawn, these comments are great as they reinforce my thinking, as this was the same steps I took.

I must be close, as I can tell that my credentials are being authenticated correctly as when I deselect the "Validate Server Certificate" box I can log in. However when this is ticked and Hivemanager selected I receive the error message below upon connecting.

In the details of this error message it refers to the HM Server not being configured as a valid NPS server. Do you know of a simple fix for this configuration?
Or perhaps this is a red-herring?

Then when I select "Connect" it then fails to connect with the usual contact Administrator error message.

See the error message image below:


Interesting that for Apple laptops and iPhones the server certificate process is not as detailed.
Any further help would be much appreciated,
thanks
Jason
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
From what you are describing, it sure seems like you are having a problem with certificate validation. When you validate, it fails. When you don't validate, it succeeds.

So, I would make sure you have the HM CA certificate installed in Trusted Root in Local Computer. (I've sometimes accidentally put it in the local user instead, which doesn't work.) Make sure that CA cert is valid for the current date. Make sure the date and time is set correctly and syncing with a valid time source for HM and the PC and your directory services servers. Do you have something in DNS that is giving it a different name than is expected and would cause the validation to fail?

In Active Directory, you have to create directory objects for the RADIUS servers. There is a tool to do that in HM. Have you created those objects (I don't know if they are necessary for Linux, but my guess is that they would be)? Also, there is a RADIUS auth test tool in HM, does that succeed when you run it? I would guess all these RADIUS/directory tests would succeed since you are getting in when you don't validated the cert, but it never hurts to double-check, right?

Hope that helps.

Shawn
Photo of Niamh Hull

Niamh Hull

  • 1 Post
  • 0 Reply Likes
Hi Shawn, if the 802.1x process is layer 2 , how can DNS be relevant?is it not a different authentication mechanism to a scenario when you connect using https to a web server and a browser certificate common name check against DNS servers is possible because it is layer 3. Until successful authentication, does the aerohive ap only just allow eap traffic through?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 1 Post
  • 0 Reply Likes
Perhaps. My post wasn't meant to be a discussion of the technical minutia of 802.1x. It was meant to solve the problems Jason was experiencing at the time. If you want to know more about the details 802.1x, there are many great resources out there for that. But I'm not really one of them. :) I know what I know based on the experience of actually implementing it a couple times and getting it to work. And I was trying to use that to help Jason. It sounds like you know as much as I do about the theory of it, or more. 
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Hi Shawn,
Would you mind pointing me in the direction to verify I'm installing in the Local Computer, as when I find the Trusted Root Certificates I cannot really tell if it's the Local User or Local Computer.

I am use the NTP server as the time source for HM, so hopefully that's ok.

thanks again,
Jason
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Sure.
1. Open MMC by typing "mmc" in the search box on your Start menu. Then right-click and run as administrator.
2. From the File menu, choose "Add/Remove Snapin"
3. From the available list, choose Certificates, and click the Add button.
4. Choose Computer account
5. Choose Local computer
6. Click OK until you get to the main MMC screen
7. Expand the Certificates (Local Computer) node
8. Right-click on Trusted Root Certification Authorities
9. Mouse-over All Tasks and click Import.

You should be able to walk through the wizard and import your CA cert.

As far as the time goes, I'd check the time on your PC and double-check your time zones on both the HM and the PCs.

Thanks,

Shawn
Photo of Paolo Moserle

Paolo Moserle

  • 4 Posts
  • 0 Reply Likes
Hi all, I have the same problem! I notice that occur in Windows Vista and 7, but not in Windows 8 or in Apple device. I followed the slides of AAWC for install the certificate on windows 7.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Jason,

Did you ever get this resolved? I'm curious as to what you found out.

Shawn
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Thanks for getting back to me. I couldn't confirm the trusted cert location as I don't have admin rights to access the MMC as above.
But our Aerohive support managed to replicate the issue and have suggested a resolution, where I need to import both the Default_CA.pem (which I had done) as well as the combiner Server CSR+Key cert to the Win7 client. I hope to try this on Friday at site - will keep you posted.
Unfortunately the IT department does not run and windows server so there is no way to automate pushing to clients.

Jason
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
I too am having a similar problem. I have seen the screen shot that was supplied by Jason, both on Windows 7 and Windows 8.
Once I added the certificate through MMC all I get is the error "Can't connect to this network" and I have not seen the terminate or connect window again.
Did you ever get to the bottom of the issue?
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
Unfortunately it wasn't resolved. There was only a couple of Win 7 laptops, rest Macs, so I was able to manually ignore the cert on Windows, while iOS and androids could accept the new root cert no problem.
Still wished I could have got it sorted though.

I remember my Win7 machine getting in the same state as yours where i could no longer connect. I'm sure I had to reboot and/or re enter my 802.1x credentials in the Advanced Security settings of the SSID manager.

Interested to see how it ends for you.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Michael,
I just closed a ticket regarding this issue. Originally I had used the AH self signed cert, which will throw the "untrusted error." Here is the summary of my case notes...

1) issue a csr from HM, export and submit to AD server
2) generate cert/key pair on Win server...ran into another issue, the following link helped... http://retro.motd.org/?p=211
3) received and installed the cert and key from the AD server on the HM
4) pushed config to AP AAA servers (delta)
5) pushed the cert to AD clients via a policy server

We still had the same issue. After letting it "rest" we looked it over some more this afternoon and noticed the clients were still using the old cert. We reviewed both the HM and AD configs and saw no discrepancies.

I performed another push to the AAA APs, this time as complete. After rebooting the APs, my non-Win clients immediately started requesting acceptance of the new cert and my Win clients no longer threw the error.

Hope this helps!
Photo of Scott M.

Scott M., Sr. Support Engineer

  • 104 Posts
  • 8 Reply Likes
Hello Jason,

Have you been able to resolve the issue?
Photo of Jan Stoops

Jan Stoops

  • 2 Posts
  • 1 Reply Like
The solution with a gpo is ok, however what to do with visitors?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Jan,

I think it would depend on your environment and requirements for visitors. The great part about Aerohive is there are lots of options.

You could do something relatively complex with something like ID Manager. I've never done one - it's always seemed a little more complex than what I need. I'm sure other members of the community could comment more.

What I do is make a separate psk ssid with a simple psk and a captive web portal. It is very easy to setup, users (and fellow employees who are going to be helping those users) understand psk and most devices now are smart enough to prompt you telling you that you are required to enter the web "login" for the captive web portal. Then, in the back we separate out all our guest traffic from our corporate (RADIUS) traffic with VLANs - it gets sent out to separate switches and routers to the internet.

But that's just what we do. You could make it even simpler, or much more complex than that.

Shawn
Photo of Jan Stoops

Jan Stoops

  • 2 Posts
  • 1 Reply Like
Shawn,

great info and thanks for the reply. We've implemented this solution as mentioned in your post and it seems to work.

Jan
Photo of Husam Ismail

Husam Ismail

  • 1 Post
  • 0 Reply Likes
Hello there, I have similar problem. Any one was able to get over it?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Husam,

I think people have had a number of similar, but different problems in the coarse of this thread. I have had an 802.1x environment up and running using PEAP on Aerohive for over a year, so I have overcome all my problems. Are you just having problems with certificate validation? If so, could you post any error messages you might be getting (as well as the OS you are using) and I will try to help you?

Or better yet, start a new thread. :)

Shawn
Photo of Phill

Phill

  • 3 Posts
  • 0 Reply Likes
The question I have is why is it Windows 7 needs a root CA installed on machines, when OSX or even iOS or Android get pushed a certificate and accepted on the device.

Can the same be achieved in Win7 without the use of group policies or the likes ?
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
Phill,
If you use a trusted certificate for your RADIUS server, you already have the root CA certificate installed. Or if you have your own internal CA, you should deploy that root cert to your Windows clients. 

I'm assuming that neither of those is true for you. The reason you need to deploy the root certs on Windows is for security. The validation process for certificates is meant to provide a secure chain of trust for your devices. Is that secure chain of trust really served by providing a little dialog that says, "I don't know who this is, should I trust them anyway?" Are your users educated enough to know when to say yes and when to run like heck? I'm pretty sure mine aren't. They just say yes because they always say yes, without even reading the information about what they are trusting.

To deploy the certificate for Windows, group policy is the easiest if it is available. You can also go to each PC and manually deploy it. Clever scripting folks can probably come up with something that will deploy these via script, but I've never done it and couldn't really point you in the right direction.
Photo of Phill

Phill

  • 3 Posts
  • 0 Reply Likes
They problem I have is the experience is the same between all OS's except for Windows 7... is that because Win7 is the only OS to have validation enabled by default ?

I know the process is broken and the root CA (our internal CA) should be installed on each machine. However, it doesn't make sense to me that Win7 users cannot get on at all without the root CA (if it can't contact for validation), whereas every other OS can simply by accepting the "I dont know who this is" notification.
Photo of Shawn Rasmussen

Shawn Rasmussen

  • 33 Posts
  • 3 Reply Likes
I'm not sure we're not talking about something different now. You mean that the clients can't get on without trusting the root CA certificate, right? Not that you are having issues with online CAs vs. offline CAs and CRLs, right?

If your Windows clients trust the CA (CA certificate is installed in trusted root certs in Windows), your CA shouldn't necessarily need to be online.

I don't really think you're talking about that, but thought I'd check. 

Your observations of the Windows 7 behavior are correct. You cannot get online without doing some config to get them to trust that cert. There is no big red easy button (if you don't have group policy anyway). Whether that is good or bad depends on which side of the fence (or data breach) you're sitting on, I think.

Just to be clear, this is a Windows issue and is not specific to Aerohive.
Photo of Phill

Phill

  • 3 Posts
  • 0 Reply Likes
Shawn,

Thanks for the info and clarification.

Not pointing fingers at Aerohive at all, simply trying to figure out if others have run into this same issue and if/can it be solved without installing the root CA on all Win7 machines (as it is with OSX/iOS and Android).

Which from what you're saying isn't possible. Most of the Windows machines we have connecting to wifi are not actually configured to be on the domain - so if its the only way, manually install it is, I guess! :-/
(Edited)
Photo of brad

brad

  • 6 Posts
  • 0 Reply Likes
I'm experiencing the same issue with Windows machines that are not on the domain.  I'm kind of stuck on this one because there is no easy way to deploy our Root CA to the Trusted CA store of Windows boxes that we don't manage.  I really don't understand why windows is different from all other OS platforms (iOS, Mac, Android).  I'm trying to think outside the box and come up with a solution that allows "Bring Your Own Devices" to be connected to our private wi-fi network.  We are currently using the simple psk and captive web portal, but that has been tough to support.  We would like to use the basic WPA2/Enterprise with 802.1x authentication and get rid of the simple psk and captive web portal auth requirements.
Photo of sebastian cerazy

sebastian cerazy

  • 1 Post
  • 0 Reply Likes
The was a problem with Windows 7 for NON AD joined computers (BYOD users own devices) due to certificate issues
Then Windows 8.x "fixed" that.
Now Windows 10 is back to same behavior like Win7 previously

Basically making it impossible to connect to Wireless with AD user credentials, UNLESS one set up manually the network & un-check server certificate validation

Unless I were to purchase commercial certificate, I see no easy way to get it working with AD CA (and I am NOT going to ask users to install my root CA certificate!)

Seb