11-14-2014 09:57 AM
11-14-2014 10:47 PM
11-17-2014 03:30 AM
10-16-2015 03:42 PM
That depends on if you use EAP-MSCHAP v2 or EAP TLS in your 802.1x authentication.
When you connect to the wireless using 802.1x authentication (EAP-MSCHAP v2) , the certificate on your RADIUS service encrypts the session to the client (just like a web page uses an SSL cert to encrypt a browser session). Only the RADIUS server is required to have a certificate. This type of session commonly asks for a username and password to complete the MSCHAP v2 authentication. It also generates a check on the certificate just like a browser checks an https connection (unless the profile specifies otherwise). Because you are using an internal certificate authority (CA), the CA's certificate is not present in the end device's certificate store as a trusted root certificate authority (unless you are using an enterprise CA and it is a domain computer). Most devices alert you to this and allow you to import the certificate at that time when you accept it (i.e. first time you connect). For this authentication type, the certificate only needs an enhanced key usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
If you are connecting using 802.1x authentication (EAP-TLS) then a certificate must reside on both the server and the client and the session is authenticated using the certificates at both ends. In this case, both certificates must do both Server authentication and client authentication and the certificates used must be trusted on both the RADIUS and client. For your domain computers, you can look at a computer/user certificates and see the "Enhanced Key Usage" includes:
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
The RAS and IAS certificate template also contains both client and server authentication.
This allows domain computers to work great with an internal enterprise CA because the CA's certificate gets pushed to all domain computers as a trusted root CA.
Since you are using EAP-MSCHAP v2 then you only need the one cert for the RADIUS. Yes, a 3rd party web cert will work with RADIUS.
1. 3rd party web certs will include server authentication. Almost all include both server and client authentication.
2. 3rd party certs cannot include unregistered domain names (i.e. myserver.mydomain.local). You can only get certs for your internet registered domain name (i.e.myserver.mydomain.com). There will be a verification email to the contacts of your internet registered domain name.
3. The RADIUS doesn't work with the wildcard *.mydomain.com certificate. It needs to be a fully qualified domain name (i.e. myserver.mydomain.com).
11-09-2016 01:14 PM