topic Certificate Question. in Wireless

Certificate Question.

Andrew Cormier — Sun, 04 Jul 2021 06:21:18 GMT

Hi,

We have a 5500 controller with one of the WLANS using 802.1X authentication.

We are going to revoke the certificate (retiring the CA) and want to use a different cert.

Do I specify the cert in the Controller Admin page or only in the Network Policy properties on the NPS server (2008r2)

Or am I just talking gibberish?

Thanks

Drew

Re: Certificate Question.

Scott Fella — Wed, 16 Jan 2013 00:53:58 GMT

The certificate needs to be on the radius server since your doing 802.1x.

Sent from Cisco Technical Support iPhone App

Certificate Question.

Amjad Abdullah — Wed, 16 Jan 2013 07:45:17 GMT

Hi Andrew,

I agree with Scott. The certificate must be on the RADIUS server (NPS in your case).

During the authentication phase, the client communicates with the server and validates the certificate of the server. The controller only forwards the traffic back and forth between the client and the server. The clietns need to verify the radius certificate and the issuer's root CA certificate of the server must be installed on the trusted list in the client's machine in order to consider it acceptable.

So, just like Scott said, the certificate must be on the server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: Certificate Question.

George Stefanick — Wed, 16 Jan 2013 12:47:33 GMT

Client validation is optional for some clients. Not mandatory. I only note this because you can get yourself in trouble with this one 😉

Sent from Cisco Technical Support iPhone App

Certificate Question.

Andrew Cormier — Wed, 16 Jan 2013 14:48:29 GMT

Love this forum. Thanks guys.

I will try it at lunch time and update/rate your responses

Certificate Question.

Scott Fella — Wed, 16 Jan 2013 15:30:14 GMT

I would assume that since your NPS is part of the domain, when you bring up the new CA, it would push certificates to all existing servers.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Certificate Question.

Andrew Cormier — Wed, 16 Jan 2013 15:35:42 GMT

Yeah Scott.

Not a best practice but we promoted a second enterprise CA in tandem with the first.

We only use certs for two things.. OCS and Wireless so it isnt a big deal to revoke.

The second GC came up about a month ago. Anyone who hasnt gotten it as a trusted root will have issues but that should be pretty small. We already did OCS and weeded most of the problems then.

Do you think changing the cert on the Radius server will cause users to reauthenticate? If there is a problem and it doesnt work would I see it right away with existing active connections or only when a use tries to connect ? Know what I mean?

Certificate Question.

Scott Fella — Wed, 16 Jan 2013 15:40:22 GMT

If you are validating the server certificate, then yes that will be an issue. You would have to trust that new server certificate, push that out in GPO and then adjust the GPO wireless profile to trust the new server certificate. It might be easier if you are validating the server certificate is to push out a new wireless profile that doesn't validate the server certificate. This way devices will not be affected.... Then put the new certificate on the NPS and allow devices to connect and monitor any issues. Then you can update the wireless GPO policy to trust the new server cert. This way, since most people never plug in, they will still be connected to the wireless and able to get a GPO push. Makes sense?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Certificate Question.

George Stefanick — Wed, 16 Jan 2013 16:03:33 GMT

Validating the certificate is a double edge sword. It takes planning.

From personal experience I will leave you with this one statement: If you validate the certificate, you need to make sure you have a means to manage that change through a PUSH mechanism. There will come a day that you might need to change the name of the trusted site. If you don't have a means to push, then you will need to touch each and every device.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Certificate Question.

Andrew Cormier — Wed, 16 Jan 2013 17:27:04 GMT

Went into NPS... changed the cert for the new one. My existing connection stayed up.

Disconnected and joined another WLAN.. reconnect to the 802.1x net no issues.

Rebooted and automatically connected the 802.1x net

Joy

Thanks to all !!

Certificate Question.

Scott Fella — Wed, 16 Jan 2013 18:24:42 GMT

Glad you got it working!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"