We have a Cisco 2504 WLC running release 22.214.171.124. At least one WLAN uses PEAP 802.1x (the option that requires a server-side certificate only) with the WLC EAP profile. We also have another WLAN that uses a captive portal.
We had a user associate to the captive portal Wi-Fi the other day, but his Google Chrome browser wouldn't let him access the login page because it wasn't trusted (and it also did not give him the option of trusting it). For this reason, we'd like to get a 3rd party (paid) webauth certificate.
Our users who connect to the PEAP 802.1x WLAN also get a security warning, so we'd like to get a 3rd party (paid) vendor device certificate for that as well, but I'm not sure how we can go about getting a cert for this use, since this isn't going to be used for a website in the traditional sense.
Can someone help me outline what I need to get the paid webauth certificate, and how to get the vendor device certificate? This link shows how to do it, but I'm more interested in the types of questions for the 3rd party.
How does the 3rd party verify you own whatever common name you put in the certificate?
For the webauth cert, you could do a whois on the domain, but what if you use a .local domain? Also, for the PEAP 802.1x cert, what "certificate" do you need to get from the 3rd party? Is it still called an "SSL certificate" even though it won't be used on a traditional website?
This will be for a home network (BYOD environment). We don't have administrative control over the devices that connect to the network. I'm looking a low-cost solution (< $50 per year ideally). I looked at a LetsEncrypt certificate, but it looks like I'd need to re-run the certbot validation regularly, and I'd also have to reinstall the certificate every 3 months as well.
Thanks for your reply. Is there a way to get a PEAP certificate from a 3rd party instead of running our own PKI? This is strictly a BYOD environment, so all devices would have to manually trust it on initial connection.
The reason why we want to get a PEAP certificate from a 3rd party is because on the Android phones, users get a security alert "Network may be monitored!" when the Cisco WLC presents a PEAP certificate whose root CA is not trusted (even after manually trusting it on the initial connection). We'd also like to avoid running our own PKI if possible.
Do you think any SSL cert from a 3rd party can be installed on the RADIUS server, or does it need to be a different "type" of SSL cert since it's not for a traditional website?
I'm just trying to use the Cisco WLC embedded RADIUS server.
I think if I try to get a cert from a 3rd party to use for the RADIUS server, I'll have to include specific key usages, as specified in my CSR.
I did this a while ago and used webserver template for the signing the certificate and it works.
Hi Scott, won't it create a certificate warning since both NamesCheap or RapidSSL are not trusted by android device or browser ?