Solved: SSL-Certificates on WLC 5508

dariopalermo · ‎04-03-2019

Hi guys, I'm just starting to configure a WLC 5508 for employee wifi access. I did the LDAP setup, configured a local PEAP profile etc.

When I try to setup the wireless connection on my smartphone, I get a certificate warning about the self-signed Cisco certificate of the WLC. Authorizing it the connection is established. What kind of certificate do I need to install (and how) in the WLC to avoid the warning? I'd like to create an error free procedure for my users, the ssl warning could create some unnecessary panic...

PS

I already changed the web certificate with a valid one (I used a public wildcard certificate and mapped the WLC in our DNS - we use split technique - to an FQDN of the domain covered by the certificate).

bye, Dario

patoberli · ‎04-04-2019

Even then you get asked, because a rogue person could create his own Radius and do an MitM attack. The only way to validate this as an end user, is by validating the certificate (thumbprint) presented by the radius server and shown to the end user with the one written down in the manual of the SSID. That or use an MDM solution.

Worse, some clients don't even allow a connection if the certificate root isn't known and trusted by the client (which at least protects you from MitM with not signed certificates).

View solution in original post

Ric Beeching · ‎04-03-2019

Web certificate only works for web-auth pass through not local EAP. On your WLC you'll need to upload a vendor device certificate and a vendor CA certificate under the management section. Then create an EAP Profile under Security -> Local EAP -> Profiles which has PEAP selected only, and uses the vendor certificate in its profile.

I think you are already aware the certificate chain must be signed by a trusted public CA for clients to not prompt with a warning when connecting.

Good luck!
Ric

-----------------------------
Please rate helpful / correct posts

patoberli · ‎04-04-2019

You will ALWAYS get asked for the certificate if you use PEAP with MS-CHAPv2 (username + password authentication via Radius), unless you use an MDM solution to pre-configure the wireless profile + certificate on your devices.

Ric Beeching · ‎04-04-2019

I don't think that's true Patoberli.. if the RADIUS server certificate is signed by a public trusted CA it should be fine?

-----------------------------
Please rate helpful / correct posts

patoberli · ‎04-04-2019

Even then you get asked, because a rogue person could create his own Radius and do an MitM attack. The only way to validate this as an end user, is by validating the certificate (thumbprint) presented by the radius server and shown to the end user with the one written down in the manual of the SSID. That or use an MDM solution.

Worse, some clients don't even allow a connection if the certificate root isn't known and trusted by the client (which at least protects you from MitM with not signed certificates).

Ric Beeching · ‎04-04-2019

Of course, the client won't be able to validate the trust due to no DNS/OSCP/CRL validation being available during the .1X authentication which is why it works for web auth.

Cheers!

-----------------------------
Please rate helpful / correct posts

dariopalermo · ‎07-01-2019

Thanks, I'll look into MDM solutions, I'm having also other issues that are pushing me to do that.

bye, Dario