WPA2 Enterprise authentication with Server certificate validation

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)
Hi guys, 

Need some expertise opinion on our setup. We have SSID enabled with the WPA2-Enterprise authentication and using Cisco ACS as RADIUS Server. 

The authentication protocol allowed is PEAP, however the self-signed certicate will be expired in another 3 days. Due to this we renew the certificate for another 5 years and we plan to export out and push the new server certificate to client through Microsoft GPO (Group Policy)

From the client side it enabled with Certificate validation.

My question is:

1. Can client with old cert able to authenticate even the Server certificate in ACS local certificate already renewed before the expiry date?

2. I already testing using the old certificate on the client side and it able to authenticate successfuly, but is it because there is any caching in Aerohive with certain time to allow this?

3. After 24 hours, we see client unable to connect anymore to the wireless. Because of this client unable to retrieve the GP update and we highly rely on Wireless connection.
Photo of Mohd Hafiz Mohd Zin

Mohd Hafiz Mohd Zin

  • 2 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
If you are using external RADIUS (you mention ACS so assume that is what you are using), then the whole 802.1x exchange is transparent to the Aerohive AP - the PEAP connection and all the authentication occurs directly between the client (supplicant) and RADIUS server, with the AP just blindly passing packets backwards and forwards between the two. If the AP is running as the RADIUS server, then the situation is different.

Assuming by PEAP you mean PEAP-EAP-MSCHAPv2 (rather than PEAP-EAP-TLS), i.e. you are authenticating the user/machine using username and password. In that case, the certificate is for the RADIUS server and allows the client to validate that it is talking to the RADIUS server it is expecting to be talking to - it has nothing to do with the authentication of the user by the RADIUS server. Again, the situation is different if you are using mutual certificate authentication (EAP-TLS or PEAP-EAP-TLS, which Microsoft calls "Smart card or other certificate"; EAP-TLS is "Smart card or other certificate" in the first authentication type list in the settings, PEAP-EAP-TLS is "Smart card or other certificate" under the PEAP authentication type).

In the SSID setting in Windows, you have the option as to whether or not to validate the RADIUS server certificate. There are two levels of validation. The first just ("Validate Server Certificate") validates that the certificate is signed by the specified certificate authority and is "in date". The second also validates that the subject in the certificate matches what you have configured in the SSID settings ("Connect to these servers"). You then also have the option as to whether the user can authorise the connection if a different certificate is presented.

In general,for maximum security and to protect against somebody spoofing your SSID and "tricking" your clients into connecting, you should push the SSID settings out administratively via group policy and use both the "Validate Server Certificate" and "Connect to these servers" setting, and disable the ability for the user to authorise a different certificate.

I would also recommend using a certificate for the RADIUS server that is signed by an Enterprise CA rather than being self-signed. By having a Microsoft Enterprise CA in particular, you will automatically have the root certificate propagated to clients and you also have the certificate revocation list distributed in Active Directory. CRLs are quite important, as the Microsoft SChannel component will by default stop a certificate being used if the CRL cannot be retrieved after a period of time as the client does not know whether the certificate has been revoked. You then also have the option to switch to TLS authentication by using certificate auto-enrolment via Group Policy.
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
It would probably be a good idea to use GPO to push policy to *not* validate server cert, straighten out the issue with the new certificate, then after testing, re-enable validate server cert.