WPA2-Entreprise: which certificate to avoid changing Validate server certificate for Windows guest ?
Hello, I'm running a WPA2 Enterprise Wifi network powered by Freeradius 3.0.12 on Debian Stretch. Currently, Windows guests need to follow a rather long and error prone process like the one described in [1]. The core of this process, is, if I'm not mistaken, to change a default value in Protected EAP Properties configuration window. This default value that needs to changed is the "Validate server certificate" one: its default value is checked (see point 9 in referenced doc). My understanding of this default value is that, "by default, Windows will validate Server Certicate using a list of Trusted Root Certificate Authorities and if no Server Certificate is received then connection is refused with a somehow misleading "Incorrect password" error message".. My questions are: 1- In this context, is correct to say the Server Certicate Windwos is refering to, is a file somewhere in /etc/freeradius directory ? If positive, how does it look like ? A .pem file ? A .der file ? 2- Is it correct to hope that "if WiFi guests are somehow given such a Server Certificate file before trying to connect, they won't need to change Protected EAP Properties" ? Best regards [1] https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_W...
Hi,
Currently, Windows guests need to follow a rather long and error prone process like the one described in [1]. The core of this process, is, if I'm not mistaken, to change a default value in Protected EAP Properties configuration window. This default value that needs to changed is the "Validate server certificate" one: its default value is checked (see point 9 in referenced doc).
My understanding of this default value is that, "by default, Windows will validate Server Certicate using a list of Trusted Root Certificate Authorities and if no Server Certificate is received then connection is refused with a somehow misleading "Incorrect password" error message"..
In my environment, where the certificate is valid, signed by a trusted root (Let's Encrypt), the user still has to accept the certificate the first time he makes a connection. See step 7 and 8 of https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser. If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
My questions are: 1- In this context, is correct to say the Server Certicate Windwos is refering to, is a file somewhere in /etc/freeradius directory ? If positive, how does it look like ? A .pem file ? A .der file ?
2- Is it correct to hope that "if WiFi guests are somehow given such a Server Certificate file before trying to connect, they won't need to change Protected EAP Properties" ?
I never managed to do that. I hope that helps, Olivier
Best regards
[1] https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_W... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Thanks Olivier for replying here. Le lun. 10 sept. 2018 à 09:58, Olivier <Olivier.Nicole@cs.ait.ac.th> a écrit :
Hi,
Currently, Windows guests need to follow a rather long and error prone process like the one described in [1]. The core of this process, is, if I'm not mistaken, to change a default value in Protected EAP Properties configuration window. This default value that needs to changed is the "Validate server certificate" one: its default value is checked (see point 9 in referenced doc).
My understanding of this default value is that, "by default, Windows will validate Server Certicate using a list of Trusted Root Certificate Authorities and if no Server Certificate is received then connection is refused with a somehow misleading "Incorrect password" error message"..
In my environment, where the certificate is valid, signed by a trusted root (Let's Encrypt), the user still has to accept the certificate the first time he makes a connection.
See step 7 and 8 of https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up
It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser.
If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
My questions are: 1- In this context, is correct to say the Server Certicate Windwos is refering to, is a file somewhere in /etc/freeradius directory ? If positive, how does it look like ? A .pem file ? A .der file ?
2- Is it correct to hope that "if WiFi guests are somehow given such a Server Certificate file before trying to connect, they won't need to change Protected EAP Properties" ?
I never managed to do that.
Looking at [2], Eduroam's Windows process is much longer and error-prone than Android's one [2] https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up My goal is simplify this process on Windows machines to the point that guests would only have to fill in their login/password after importing a file. Do you think this can be achieved ? If I'm correctly reading your answer, the answer is (unfortunately) No.
I hope that helps,
Olivier
Best regards
[1]
https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_W...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Olivier <oza.4h07@gmail.com> writes:
Thanks Olivier for replying here.
De rien.
Looking at [2], Eduroam's Windows process is much longer and error-prone than Android's one [2] https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up
I think you'd need only steps 5-8, but you better test that. The previous steps are to make sure the certificate is validated (just the opposite from the linkk you mentioned) and that the system does ot try to use Windows credentials. I think that if you do nohing, by defalt the certificate is validated, leading to step 7-8.
My goal is simplify this process on Windows machines to the point that guests would only have to fill in their login/password after importing a file. Do you think this can be achieved ? If I'm correctly reading your answer, the answer is (unfortunately) No.
I have no definite answer. Loading a file with all the details of the connection is how it works for Mac, but I am not sure it can be acheived with Windows (in fact, eduroam people have worked on that a bit and I don't think they came up with any solution, so I don't think it can be done). Test it is my best advice, then if it works, tell you users that all they have to do is to accept the certificate on the first connection. Best regards, Olivier
Hello,
I have no definite answer. Loading a file with all the details of the connection is how it works for Mac, but I am not sure it can be acheived with Windows (in fact, eduroam people have worked on that a bit and I don't think they came up with any solution, so I don't think it can be done).
For the sake of the mailing list archive: this comment is actively unhelpful and wrong. https://cat.eduroam.org https://802.1x-config.org Or ask a search engine of your choice for "Enterprise Wi-Fi onboarding tools".
Test it is my best advice, then if it works, tell you users that all they have to do is to accept the certificate on the first connection.
No. They should be pre-provisioned with the expected certificate and should never be bothered with the term "certificate" at all, or be trained to accept strange security warnings. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
@Stefan: All your replies are very interesting ! Thank you very very much for sharing them here. I'll have to read them in greater details ! Thanks again Le mar. 11 sept. 2018 à 13:59, Stefan Winter <stefan.winter@restena.lu> a écrit :
Hello,
I have no definite answer. Loading a file with all the details of the connection is how it works for Mac, but I am not sure it can be acheived with Windows (in fact, eduroam people have worked on that a bit and I don't think they came up with any solution, so I don't think it can be done).
For the sake of the mailing list archive: this comment is actively unhelpful and wrong.
https://cat.eduroam.org https://802.1x-config.org
Or ask a search engine of your choice for "Enterprise Wi-Fi onboarding tools".
Test it is my best advice, then if it works, tell you users that all they have to do is to accept the certificate on the first connection.
No. They should be pre-provisioned with the expected certificate and should never be bothered with the term "certificate" at all, or be trained to accept strange security warnings.
Greetings,
Stefan Winter
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette
Tel: +352 424409 1 Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
Looking at [2], Eduroam's Windows process is much longer and error-prone than Android's one [2] https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up
Those instructions make no use whatsoever of onboarding tools which take away all that complexity for your users. No wonder it's complicated.
My goal is simplify this process on Windows machines to the point that guests would only have to fill in their login/password after importing a file. Do you think this can be achieved ? If I'm correctly reading your answer, the answer is (unfortunately) No.
Look at https://cat.eduroam.org for how the eduroam consortium is solving this problem for the member institutions. Look at https://802.1x-config.org for a non-eduroam clone of this. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Stefan Winter <stefan.winter@restena.lu> writes:
Looking at [2], Eduroam's Windows process is much longer and error-prone than Android's one [2] https://www.cs.ait.ac.th/joomla3/index.php/eduroam-set-up
Those instructions make no use whatsoever of onboarding tools which take away all that complexity for your users. No wonder it's complicated.
My goal is simplify this process on Windows machines to the point that guests would only have to fill in their login/password after importing a file. Do you think this can be achieved ? If I'm correctly reading your answer, the answer is (unfortunately) No.
Look at https://cat.eduroam.org for how the eduroam consortium is solving this problem for the member institutions.
Thank you Stefan, I know eduroam CAT, but it is useless for me. And eduroam is not willing to do anything to help: Thailand is not listed in CAT, the person in charge of Thailand country is not willing to do anything, eduroam is not willing to kick his butts to remind him of his duty. Because of the hierarchical nature of eduroam, if an intermediate level is brain dead, there is nothing you can do. Best regards, Olivier
Look at https://802.1x-config.org for a non-eduroam clone of this.
Greetings,
Stefan Winter
--
On Sep 10, 2018, at 3:58 AM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser.
The list is the same. But the roots are *not* trusted by default for 802.1X.
If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
That is the easiest way. Alan DeKok.
Le lun. 10 sept. 2018 à 13:16, Alan DeKok <aland@deployingradius.com> a écrit :
On Sep 10, 2018, at 3:58 AM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser.
The list is the same. But the roots are *not* trusted by default for 802.1X.
If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
That is the easiest way.
Forgive me Alan for asking, something that may be evident to many, but how does such a certificate look like ? A .pem file ?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 10, 2018, at 8:14 AM, Olivier <oza.4h07@gmail.com> wrote:
Forgive me Alan for asking, something that may be evident to many, but how does such a certificate look like ? A .pem file ?
You configure the certificates in raddb/certs/ and the server takes care of the rest. The certs are sent to the client over a TLS connection. In which case the format is defined by TLS, and is common between client and server. The on-disk format of the certificate is irrelevant. Alan DeKok.
Hi,
It seems that the list of trusted roots for WAP2 is different from the list of trusted roots used by your browser.
Each root CA has to flagged as being an authorised one for *this particular network*.
If your goal is just to let the user validate the certificate, instead of modifying the connection (it is tricky and error prone) just let them manually validate the certificate the first time they connect, it is faster. easier and goes in the flow.
Others have pointed at why this is a bad idea usability-wise (renewing certificate?) and security (training users to "Click Accept" on a security warning - they'll merrily do so the next time when a rogue server presents his unknown certificate).
My questions are: 1- In this context, is correct to say the Server Certicate Windwos is refering to, is a file somewhere in /etc/freeradius directory ? If positive, how does it look like ? A .pem file ? A .der file ?
2- Is it correct to hope that "if WiFi guests are somehow given such a Server Certificate file before trying to connect, they won't need to change Protected EAP Properties" ?
I never managed to do that.
There are tools which create ready-made installers, including a CA certificate, marking it as trusted, etc. Your mail address implies that you work at an academic institution. If this happens to be about eduroam, take a look at https://cat.eduroam.org. If this is a non-eduroam network, take a look at e.g. https://802.1x-config.org. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (4)
-
Alan DeKok -
Olivier -
Olivier -
Stefan Winter