Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
10
Helpful
3
Replies

RADIUS Certificates and WLC Configuration

stelker77
Level 1
Level 1

‎05-05-2021 08:51 AM - edited ‎07-05-2021 01:16 PM

Hello all,

Thanks in advance for taking the time to view my post.

With the recent Android change that requires server certificate validation, some of our Android users who are not able to associate to our wireless LAN due to the self-signed certificate we have installed on ACS are feeling the pain.

I understand there are some peculiarities with how to configure the CN and SANs on the EAP/PEAP/etc. certificate so it will be accepted by all clients. If anyone has a full description of the best practices for this, please feel free to contribute your knowledge!

But my question is specifically on the following: How do the clients ever learn what CN or SAN they are supposed to be comparing against when they receive the certificate? When visiting a website, it makes sense to me--I am visiting xyz.com, my browser knows this and therefore the CN or SAN in the certificate should list xyz.com or *.xyz.com, otherwise my browser tells me something isn't right. However, in the WLC configuration interface, I only see the option to specify our ACS server by its IP address. I take this to mean that the client is communicating directly or via the WLC to the ACS server using direct IP rather than an initial DNS lookup. Does that mean the certificate would need to have a SAN option listing the ACS server IP? Is the DNS name in the certificate irrelevant for RADIUS authentication? Or perhaps I am completely misunderstanding the process (quite likely!)?

Thanks again for your time.

0 Helpful
3 Replies 3

saravlak
Spotlight
Spotlight

‎05-05-2021 09:20 AM

Obtain public cert from godaddy,verisign,...use domain name of your org, make sure the DNS resolves it.

Browser will accept the public cert as its signed.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216191-troubleshoot-common-cisco-ise-guest-acce.html

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2015/pdf/BRKSEC-2035.pdf

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎05-06-2021 12:27 AM

You need to look at what the trusted root CA’s that Android has in the trusted certificate store. You would need to have your radius server use one of those, which means you have to generate a CSR and submit for a certificate. You would then need to make sure the root and intermediate CA certificates are installed in ACS and that DNS is valid for the fqdn you are using on the certificate and ACS hostname. 
The ACS and client will do the negotiation, the wlc has nothing to do except forward the radius request. There is no way around this issue if Androids stop supporting radius servers with self signed certificates. If you have an mdm, you can always push a certificate using EAP-TLS to the device. There are various other options, but all are big changes and not a quick fix. 

-Scott
*** Please rate helpful posts ***

patoberli
VIP Alumni
VIP Alumni

‎05-06-2021 07:39 AM

And to add, on Android when you add the network, you have a field called "Domain", into that field you enter the domain the certificate was issued for. Let's say the certificate is for radius.example.com, then you would enter example.com. As long as the radius now sends a certificate issued to example.com (by a generally known certificate issuer), the device will be able to connect. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card