Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1962
Views
4
Helpful
5
Replies

Untrusted Certificate when performing PEAP Authentication

Go to solution
cgarthvdb
Level 1
Level 1

‎12-04-2017 02:49 AM

Hi All,

I have an ISE deployment and we generated a MultiUse CSR and signed it using Comodo Public CA, the certificate works 100% when accessing the Portals (CWA) Admin etc however when authenticating a wireless client using PEAP some clients report a certificate trust error.

Has anyone experienced the same issue or know of a solution to this?

Regards

Garth

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to cgarthvdb

‎12-05-2017 01:02 AM

Discovering the Advanced Client Settings of 802.1X - TechGenix

might help.

The native supplicant on Windows client OS by default validates the server certificate of EAP servers and also often prompts to confirm the authenticating EAP server associated with the expected Wi-Fi network ID.

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-04-2017 08:23 AM

What clients? For ios devices you will need to manually trust the certificate upon initial connection even though it’s a valid certificate.

https://www.google.com/search?ei=UHYlWrKIL4W5ggfPnZrwDQ&q=iosmanualtrustcertpeap&oq=iosmanualtrustcertpeap&gs_l=psy-ab.3..33i160k1l2.34357.35016.0.35204.5.5.0.0.0.0.137.475.1j3.4.0....0...1.1.64.psy-ab..1.4.475...33i22i29i30k1.0.RbyEieLab0Q

Go to solution
cgarthvdb
Level 1
Level 1
In response to Jason Kunst

‎12-04-2017 11:20 PM

Hi there, thank you for the response, we are experiencing this issue on different clients, mostly Apple devices but have also experienced it on some Windows 7 PC's. Android devices are not affected.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2017 07:49 PM

As Jason said, this is expected on many client operating systems. On Apple iOS, for example, it shows the certificate of ISE EAP server as "Not Verified" while using an ad-hoc Wi-Fi WPA2 enterprise connections. http://training.apple.com/pdf/WP_8021X_Authentication.pdf says,

... The first time the user joins a device to an 802.1X-protected network, the device will prompt the user to trust the server’s certificate.

In order to make the certificate trusted, it needs included as part of a configuration profile installed via ISE BYOD, Apple Configurator 2, or a 3rd-party MDM.

Go to solution
cgarthvdb
Level 1
Level 1
In response to hslai

‎12-04-2017 11:22 PM

Thank you, unfortunately it is not only apple iOS devices, we are having the same issue on some corporate windows PC's.

This is very strange, I have logged a TAC with Cisco and am awaiting feedback.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to cgarthvdb

‎12-05-2017 01:02 AM

Discovering the Advanced Client Settings of 802.1X - TechGenix

might help.

The native supplicant on Windows client OS by default validates the server certificate of EAP servers and also often prompts to confirm the authenticating EAP server associated with the expected Wi-Fi network ID.

Customers Also Viewed These Support Documents