02-05-2018 05:59 PM
Hi all,
I'm currently working on deploying publicly signed certificates for RADIUS authentication with ISE version 2.2 specifically to avoid users of BYOD devices (Windows 10, macOS and iOS) having to trust the RADIUS certificate when joining the wireless network.
I understand that the general recommendation is to use internally signed certificates, deployed to the clients trust stores and tied to wireless profiles. As this is a purely BYOD deployment, there's no option to deploy certificates or profiles.
I tried deploying certificates purchased from DigiCert and went through various iterations of the certs (DigiCert allow you to create duplicates of a cert with different CNs and SANs) but in every situation the client devices prompted to accept the certificates.
After doing some further digging I found an Apple support article (https://support.apple.com/en-au/HT207866) which implies that, without deploying a profile to the device, both macOS and iOS will always prompt to trust the certificate (emphasis mine):
Configure Trusted Server Names in a configuration profile
You can also configure Trusted Server Names to prevent users from being prompted to trust RADIUS server certificates. Use a case-sensitive value that matches the Common Name of your RADIUS server certificates. The value can also include a wildcard character to identify multiple RADIUS servers within the same domain. For more information, see the EAPClientConfiguration Dictionary in the Apple Developer Configuration Profile Reference.
On the Windows 10 side, it appears that most engineers who encounter this issue either deploy a wireless profile to their clients or disable the Validate Server Certificate option. Neither of which are viable options with BYOD. Another, Windows 10 specific that I've seen mentioned appears to be using a top level certificate supplier like Comodo or Verisign as they’re natively trusted without verification…but I can’t confirm that this will definitely work.
What I'm hoping to confirm is: will a BYOD client always prompt the user to accept the RADIUS certificate, or is there a certificate provider who is natively trusted that will allow us to avoid the prompt?
Cheer,
Alec
Solved! Go to Solution.
02-05-2018 10:53 PM
Hi,
iOS and macOS will always Prompt the user to accept the Radius Certificate without a proper Configration Profile applied.
I think Windows 10 will perform the same but i‘m not 100% sure about this.
The validate Server option shouldn‘t be disabled on Windows because this can cause your clients to expose the login credentials to honeypots.
A option could be NSP Provisioning on ISE but in case of Apple Devices it‘s the usability worst-case and admin privileges are required on Windows with a lot of potential for failures.
02-05-2018 10:53 PM
Hi,
iOS and macOS will always Prompt the user to accept the Radius Certificate without a proper Configration Profile applied.
I think Windows 10 will perform the same but i‘m not 100% sure about this.
The validate Server option shouldn‘t be disabled on Windows because this can cause your clients to expose the login credentials to honeypots.
A option could be NSP Provisioning on ISE but in case of Apple Devices it‘s the usability worst-case and admin privileges are required on Windows with a lot of potential for failures.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide