Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4900
Views
0
Helpful
5
Replies

802.1x Without Certificates

jacovr
Level 1
Level 1

‎03-07-2014 07:12 AM - edited ‎07-05-2021 12:22 AM

I have the following setup:

  • 5508 WLC
  • ISE 1.2

The wireless network is copletely seperate from the corporate network & is purely used for Internet Access.

The users connect in 2 different ways:

  • Guest Access by means of a Guest Portal (Guest SSID)
  • 802.1x Pointing to Internal Users on the ISE box. (Corporate SSID)

All Mobile devices connect fine to the corporate SSID, the problem is with Laptop users.

At this stage, In order for the users to connect to the Corporate SSID, i need to manually set up the Wireless connection and remove the

"Verify The Server's Identity by validating the certificate" tick box under PEAP settings.

Is there any way to bypass/rectify this, (This is only used for Internet, hence the Customer will not install a CA server)

I need the users to connect to the Corporate SSID without manually setting up the Wireless Connction.

Labels:
0 Helpful
5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

‎03-07-2014 07:25 AM

Jacovr,

The point of using 802.1X is to provide a means of security for the corporate users when connect to WiFi. First we need to cover the purpose of cert validation. Radius server sends the device cert to the client. The client then uses this cert to hash their logon and AD and pass it to the radius server wherethe radius server uses the private key.  To protect against a man in the middle attack the client can validate the certificate. If you choose not to, and many people do btw, you can unselect this. But know anyone running your SSID with FREERADIUS and the Hack can put your ID/Passwords at risk.

This is a client configuration. Nothing you can do on the infrustructure side of this to bypass it. Here are a few ideas.

1)I assume these corporate users have machines that are part of AD. If so you can push the WLAN profile with the specific WLAN settings automagically.

2) If you dont have AD you can use a tool like Anyconnect and provide a profile via email a user can launch and will configure the WLAN profile.

3) With ISE you can build a policy and push down a WLAN profilem but here again they need to connect the first time. I have seen users do a onboarding network for WLAN Profiles.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

jacovr
Level 1
Level 1
In response to George Stefanick

‎03-07-2014 07:38 AM

Thanx for the info.

These machines does not belong to AD so the profile cannot be pushed down.

I reckon option 3 will be my best bet the, even if I need to connect them to a different SSID first.

I have never done the Onboarding / Profile push via ISE.  Can you perhaps point me to a "Workable" Guide on how this is done ? I see the demos on the www all make use of a AD server.

Regards

Jaco

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to jacovr

‎03-07-2014 07:45 AM

Onboarding requires license, but there is other ways ISE can push certificates, but not having a CA.... I don't know if there is a good solution.  You will need to setup their devices if you want them to connect to the network since they are non domain computers.  No matter what, there will be manual intervention somewhere.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
0 Helpful

jacovr
Level 1
Level 1
In response to Scott Fella

‎03-07-2014 08:02 AM

Quick Question.

Why do some of the users (like my Laptop) connect seamlesly ? And others dont ?   And when I look at the config My Device do have that tick box Ticked !

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to jacovr

‎03-07-2014 08:44 AM

To understand this we need to go back to certs and PEAP. I dont know who your radius peap cert is signed by but lets assume you have a PKI.

Your device cert installed on the radius server is signed by your CA (PKI). On your device you have the root and intermediate from your PKI in your cert store. If you open the device cert you will see the chain. If you have your's ticked and you are selecting a specific cert and you have the cert trust (root and intermediate) then you will be good.

Assume a user who gets the cert and has the wrong cert ticked. Wont work Also assume the user is verifying an enterilty different cert. Wont work ..

Check and see what certs you are validating and what certs they are. Also what cert in the radius is used for peap and who signed it ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card