Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1317
Views
0
Helpful
1
Replies

RADIUS Certificates and BYOD

Go to solution
alecfraser
Level 1
Level 1

‎02-05-2018 05:59 PM

Hi all,

I'm currently working on deploying publicly signed certificates for RADIUS authentication with ISE version 2.2 specifically to avoid users of BYOD devices (Windows 10, macOS and iOS) having to trust the RADIUS certificate when joining the wireless network.

I understand that the general recommendation is to use internally signed certificates, deployed to the clients trust stores and tied to wireless profiles. As this is a purely BYOD deployment, there's no option to deploy certificates or profiles.

I tried deploying certificates purchased from DigiCert and went through various iterations of the certs (DigiCert allow you to create duplicates of a cert with different CNs and SANs) but in every situation the client devices prompted to accept the certificates.

After doing some further digging I found an Apple support article (https://support.apple.com/en-au/HT207866) which implies that, without deploying a profile to the device, both macOS and iOS will always prompt to trust the certificate (emphasis mine):

Configure Trusted Server Names in a configuration profile

You can also configure Trusted Server Names to prevent users from being prompted to trust RADIUS server certificates. Use a case-sensitive value that matches the Common Name of your RADIUS server certificates. The value can also include a wildcard character to identify multiple RADIUS servers within the same domain. For more information, see the EAPClientConfiguration Dictionary in the Apple Developer Configuration Profile Reference.

On the Windows 10 side, it appears that most engineers who encounter this issue either deploy a wireless profile to their clients or disable the Validate Server Certificate option. Neither of which are viable options with BYOD. Another, Windows 10 specific that I've seen mentioned appears to be using a top level certificate supplier like Comodo or Verisign as they’re natively trusted without verification…but I can’t confirm that this will definitely work.


What I'm hoping to confirm is: will a BYOD client always prompt the user to accept the RADIUS certificate, or is there a certificate provider who is natively trusted that will allow us to avoid the prompt?


Cheer,

Alec

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Laue
Level 4
Level 4

‎02-05-2018 10:53 PM

Hi,

iOS and macOS will always Prompt the user to accept the Radius Certificate without a proper Configration Profile applied.

I think Windows 10 will perform the same but i‘m not 100% sure about this.

The validate Server option shouldn‘t be disabled on Windows because this can cause your clients to expose the login credentials to honeypots.

A option could be NSP Provisioning on ISE but in case of Apple Devices it‘s the usability worst-case and admin privileges are required on Windows with a lot of potential for failures.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Oliver Laue
Level 4
Level 4

‎02-05-2018 10:53 PM

Hi,

iOS and macOS will always Prompt the user to accept the Radius Certificate without a proper Configration Profile applied.

I think Windows 10 will perform the same but i‘m not 100% sure about this.

The validate Server option shouldn‘t be disabled on Windows because this can cause your clients to expose the login credentials to honeypots.

A option could be NSP Provisioning on ISE but in case of Apple Devices it‘s the usability worst-case and admin privileges are required on Windows with a lot of potential for failures.

0 Helpful
Customers Also Viewed These Support Documents