cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1976
Views
10
Helpful
11
Replies

How to get a paid cert for PEAP 802.1x WLAN from 3rd party

Sam Brynes
Level 1
Level 1

We have a Cisco 2504 WLC running release 8.5.140.0. At least one WLAN uses PEAP 802.1x (the option that requires a server-side certificate only) with the WLC EAP profile. We also have another WLAN that uses a captive portal.

 

We had a user associate to the captive portal Wi-Fi the other day, but his Google Chrome browser wouldn't let him access the login page because it wasn't trusted (and it also did not give him the option of trusting it). For this reason, we'd like to get a 3rd party (paid) webauth certificate.

 

Our users who connect to the PEAP 802.1x WLAN also get a security warning, so we'd like to get a 3rd party (paid) vendor device certificate for that as well, but I'm not sure how we can go about getting a cert for this use, since this isn't going to be used for a website in the traditional sense.

 

Can someone help me outline what I need to get the paid webauth certificate, and how to get the vendor device certificate? This link shows how to do it, but I'm more interested in the types of questions for the 3rd party.

 

How does the 3rd party verify you own whatever common name you put in the certificate?

 

For the webauth cert, you could do a whois on the domain, but what if you use a .local domain? Also, for the PEAP 802.1x cert, what "certificate" do you need to get from the 3rd party? Is it still called an "SSL certificate" even though it won't be used on a traditional website?

 

This will be for a home network (BYOD environment). We don't have administrative control over the devices that connect to the network. I'm looking a low-cost solution (< $50 per year ideally). I looked at a LetsEncrypt certificate, but it looks like I'd need to re-run the certbot validation regularly, and I'd also have to reinstall the certificate every 3 months as well.

11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame
Here is a quick high level overview. Let’s start with PEAP. Typically you have a root ca, along with intermediate ca and subordinate ca’s in your environment. Now the radius server, wireless devices would be joined to the domain so that the certificate is trusted. If you are trying to get phones and tablets connected to PEAP, then yes, the device will ask to trust the certificate but only the first time. Windows domain machines would trust the certificate because all pieces are joined to the domain:

CA servers
Radius servers
Wireless domain joined devices

For webauth, you can just look at NamesCheap or RapidSSL or any certificate vendor. You will just need to make sure that the guest devices can resolve the FQDN of the certificate and that the virtual interface ip address resolves to the FQDN.
-Scott
*** Please rate helpful posts ***

Hi Scott,

Thanks for your reply. Is there a way to get a PEAP certificate from a 3rd party instead of running our own PKI? This is strictly a BYOD environment, so all devices would have to manually trust it on initial connection.

 

The reason why we want to get a PEAP certificate from a 3rd party is because on the Android phones, users get a security alert "Network may be monitored!" when the Cisco WLC presents a PEAP certificate whose root CA is not trusted (even after manually trusting it on the initial connection). We'd also like to avoid running our own PKI if possible.

You can do that and install the certificate in your radius server.
-Scott
*** Please rate helpful posts ***

Do you think any SSL cert from a 3rd party can be installed on the RADIUS server, or does it need to be a different "type" of SSL cert since it's not for a traditional website?

I don’t see why not. Get your WebAuth cert first and try to install that. That will tell you if it works or not.
-Scott
*** Please rate helpful posts ***

just curious, what kind of radius server you have ?

 

-hope this helps-

I'm just trying to use the Cisco WLC embedded RADIUS server.

I think if I try to get a cert from a 3rd party to use for the RADIUS server, I'll have to include specific key usages, as specified in my CSR.

I did this a while ago and used webserver template for the signing the certificate and it works.

-hope this helps-

Hi Scott, won't it create a certificate warning since both NamesCheap or RapidSSL are not trusted by android device or browser ?

 

-hope this helps-

It should be trusted, they are just a vendor that will generate certificates that are trusted. You can always reach out to them and verify that they can generate a Known CA.
-Scott
*** Please rate helpful posts ***

You can review their sites for the certificate authority they use.

https://www.namecheap.com/support/knowledgebase/article.aspx/808/69/root-certificates

https://knowledge.digicert.com/generalinformation/INFO1548.html#links
-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: