Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2739
Views
10
Helpful
11
Replies

How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Sam Brynes
Level 1
Level 1

‎04-04-2020 02:16 PM - edited ‎07-05-2021 11:54 AM

We have a Cisco 2504 WLC running release 8.5.140.0. At least one WLAN uses PEAP 802.1x (the option that requires a server-side certificate only) with the WLC EAP profile. We also have another WLAN that uses a captive portal.

 

We had a user associate to the captive portal Wi-Fi the other day, but his Google Chrome browser wouldn't let him access the login page because it wasn't trusted (and it also did not give him the option of trusting it). For this reason, we'd like to get a 3rd party (paid) webauth certificate.

 

Our users who connect to the PEAP 802.1x WLAN also get a security warning, so we'd like to get a 3rd party (paid) vendor device certificate for that as well, but I'm not sure how we can go about getting a cert for this use, since this isn't going to be used for a website in the traditional sense.

 

Can someone help me outline what I need to get the paid webauth certificate, and how to get the vendor device certificate? This link shows how to do it, but I'm more interested in the types of questions for the 3rd party.

 

How does the 3rd party verify you own whatever common name you put in the certificate?

 

For the webauth cert, you could do a whois on the domain, but what if you use a .local domain? Also, for the PEAP 802.1x cert, what "certificate" do you need to get from the 3rd party? Is it still called an "SSL certificate" even though it won't be used on a traditional website?

 

This will be for a home network (BYOD environment). We don't have administrative control over the devices that connect to the network. I'm looking a low-cost solution (< $50 per year ideally). I looked at a LetsEncrypt certificate, but it looks like I'd need to re-run the certbot validation regularly, and I'd also have to reinstall the certificate every 3 months as well.

Labels:
0 Helpful
11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

‎04-04-2020 03:54 PM

Here is a quick high level overview. Let’s start with PEAP. Typically you have a root ca, along with intermediate ca and subordinate ca’s in your environment. Now the radius server, wireless devices would be joined to the domain so that the certificate is trusted. If you are trying to get phones and tablets connected to PEAP, then yes, the device will ask to trust the certificate but only the first time. Windows domain machines would trust the certificate because all pieces are joined to the domain:

CA servers
Radius servers
Wireless domain joined devices

For webauth, you can just look at NamesCheap or RapidSSL or any certificate vendor. You will just need to make sure that the guest devices can resolve the FQDN of the certificate and that the virtual interface ip address resolves to the FQDN.
-Scott
*** Please rate helpful posts ***

Sam Brynes
Level 1
Level 1
In response to Scott Fella

‎04-04-2020 04:06 PM

Hi Scott,

Thanks for your reply. Is there a way to get a PEAP certificate from a 3rd party instead of running our own PKI? This is strictly a BYOD environment, so all devices would have to manually trust it on initial connection.

 

The reason why we want to get a PEAP certificate from a 3rd party is because on the Android phones, users get a security alert "Network may be monitored!" when the Cisco WLC presents a PEAP certificate whose root CA is not trusted (even after manually trusting it on the initial connection). We'd also like to avoid running our own PKI if possible.

Preview file
246 KB
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sam Brynes

‎04-04-2020 04:47 PM

You can do that and install the certificate in your radius server.
-Scott
*** Please rate helpful posts ***
0 Helpful

Sam Brynes
Level 1
Level 1
In response to Scott Fella

‎04-04-2020 04:58 PM

Do you think any SSL cert from a 3rd party can be installed on the RADIUS server, or does it need to be a different "type" of SSL cert since it's not for a traditional website?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sam Brynes

‎04-04-2020 05:58 PM

I don’t see why not. Get your WebAuth cert first and try to install that. That will tell you if it works or not.
-Scott
*** Please rate helpful posts ***

ammahend
VIP
VIP
In response to Sam Brynes

‎04-05-2020 06:23 PM - edited ‎04-05-2020 06:29 PM

just curious, what kind of radius server you have ?

 

-hope this helps-
0 Helpful

Sam Brynes
Level 1
Level 1
In response to ammahend

‎04-05-2020 07:14 PM

I'm just trying to use the Cisco WLC embedded RADIUS server.

I think if I try to get a cert from a 3rd party to use for the RADIUS server, I'll have to include specific key usages, as specified in my CSR.

0 Helpful

ammahend
VIP
VIP
In response to Sam Brynes

‎04-07-2020 07:29 PM

I did this a while ago and used webserver template for the signing the certificate and it works.

-hope this helps-
0 Helpful

ammahend
VIP
VIP
In response to Scott Fella

‎04-05-2020 06:21 PM - edited ‎04-05-2020 06:22 PM

Hi Scott, won't it create a certificate warning since both NamesCheap or RapidSSL are not trusted by android device or browser ?

 

-hope this helps-
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ammahend

‎04-05-2020 09:33 PM

It should be trusted, they are just a vendor that will generate certificates that are trusted. You can always reach out to them and verify that they can generate a Known CA.
-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎04-05-2020 09:38 PM

You can review their sites for the certificate authority they use.

https://www.namecheap.com/support/knowledgebase/article.aspx/808/69/root-certificates

https://knowledge.digicert.com/generalinformation/INFO1548.html#links
-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card