cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr

Ask Me Anything – How to Enable Network Connectivity to Remote Workers
371
Views
10
Helpful
11
Replies
Highlighted
Beginner

How to get a paid cert for PEAP 802.1x WLAN from 3rd party

We have a Cisco 2504 WLC running release 8.5.140.0. At least one WLAN uses PEAP 802.1x (the option that requires a server-side certificate only) with the WLC EAP profile. We also have another WLAN that uses a captive portal.

 

We had a user associate to the captive portal Wi-Fi the other day, but his Google Chrome browser wouldn't let him access the login page because it wasn't trusted (and it also did not give him the option of trusting it). For this reason, we'd like to get a 3rd party (paid) webauth certificate.

 

Our users who connect to the PEAP 802.1x WLAN also get a security warning, so we'd like to get a 3rd party (paid) vendor device certificate for that as well, but I'm not sure how we can go about getting a cert for this use, since this isn't going to be used for a website in the traditional sense.

 

Can someone help me outline what I need to get the paid webauth certificate, and how to get the vendor device certificate? This link shows how to do it, but I'm more interested in the types of questions for the 3rd party.

 

How does the 3rd party verify you own whatever common name you put in the certificate?

 

For the webauth cert, you could do a whois on the domain, but what if you use a .local domain? Also, for the PEAP 802.1x cert, what "certificate" do you need to get from the 3rd party? Is it still called an "SSL certificate" even though it won't be used on a traditional website?

 

This will be for a home network (BYOD environment). We don't have administrative control over the devices that connect to the network. I'm looking a low-cost solution (< $50 per year ideally). I looked at a LetsEncrypt certificate, but it looks like I'd need to re-run the certbot validation regularly, and I'd also have to reinstall the certificate every 3 months as well.

Everyone's tags (4)
11 REPLIES 11
Highlighted
Hall of Fame Master

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Here is a quick high level overview. Let’s start with PEAP. Typically you have a root ca, along with intermediate ca and subordinate ca’s in your environment. Now the radius server, wireless devices would be joined to the domain so that the certificate is trusted. If you are trying to get phones and tablets connected to PEAP, then yes, the device will ask to trust the certificate but only the first time. Windows domain machines would trust the certificate because all pieces are joined to the domain:

CA servers
Radius servers
Wireless domain joined devices

For webauth, you can just look at NamesCheap or RapidSSL or any certificate vendor. You will just need to make sure that the guest devices can resolve the FQDN of the certificate and that the virtual interface ip address resolves to the FQDN.
-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Hi Scott,

Thanks for your reply. Is there a way to get a PEAP certificate from a 3rd party instead of running our own PKI? This is strictly a BYOD environment, so all devices would have to manually trust it on initial connection.

 

The reason why we want to get a PEAP certificate from a 3rd party is because on the Android phones, users get a security alert "Network may be monitored!" when the Cisco WLC presents a PEAP certificate whose root CA is not trusted (even after manually trusting it on the initial connection). We'd also like to avoid running our own PKI if possible.

Highlighted
Hall of Fame Master

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

You can do that and install the certificate in your radius server.
-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Do you think any SSL cert from a 3rd party can be installed on the RADIUS server, or does it need to be a different "type" of SSL cert since it's not for a traditional website?

Highlighted
Hall of Fame Master

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

I don’t see why not. Get your WebAuth cert first and try to install that. That will tell you if it works or not.
-Scott
*** Please rate helpful posts ***
Highlighted
Contributor

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

just curious, what kind of radius server you have ?

 

-Rate helpful posts-
Highlighted
Beginner

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

I'm just trying to use the Cisco WLC embedded RADIUS server.

I think if I try to get a cert from a 3rd party to use for the RADIUS server, I'll have to include specific key usages, as specified in my CSR.

Highlighted
Contributor

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

I did this a while ago and used webserver template for the signing the certificate and it works.

-Rate helpful posts-
Highlighted
Contributor

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Hi Scott, won't it create a certificate warning since both NamesCheap or RapidSSL are not trusted by android device or browser ?

 

-Rate helpful posts-
Highlighted
Hall of Fame Master

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

It should be trusted, they are just a vendor that will generate certificates that are trusted. You can always reach out to them and verify that they can generate a Known CA.
-Scott
*** Please rate helpful posts ***
Highlighted
Hall of Fame Master

Re: How to get a paid cert for PEAP 802.1x WLAN from 3rd party

You can review their sites for the certificate authority they use.

https://www.namecheap.com/support/knowledgebase/article.aspx/808/69/root-certificates

https://knowledge.digicert.com/generalinformation/INFO1548.html#links
-Scott
*** Please rate helpful posts ***
CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey