[Help] How to eliminate client certificate popup
Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server. Details Radius Server: $radius Root CA: $ca How can i do that? We are using a cert from Global sign and we already have a root ca in our laptop, but we still need to choose that Terminate / Connect popup. It doesnt matter if we need to change our cert or etc, but we just want to eliminate that popup :) Thanks Danny -- Best Regards, Danny
Hi, I mean eliminate it without a need to configure WLAN profile on each Windows 7 we have or using Intel Pro software etc.. I would like to know if anyone ever know how we can eliminate this from let say tweak the cert or some radius config. Thanks Danny On Tue, Mar 5, 2013 at 9:58 AM, Danny Kurniawan < danny.kurniawan@fairchildsemi.com> wrote:
Hello,
We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it :
The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server. Details Radius Server: $radius Root CA: $ca
How can i do that? We are using a cert from Global sign and we already have a root ca in our laptop, but we still need to choose that Terminate / Connect popup. It doesnt matter if we need to change our cert or etc, but we just want to eliminate that popup :)
Thanks Danny
-- Best Regards, Danny
-- Best Regards, Danny
Hi,
I mean eliminate it without a need to configure WLAN profile on each Windows 7 we have or using Intel Pro software etc.. I would like to know if anyone ever know how we can eliminate this from let say tweak the cert or some radius config.
I don\'t think it\'s about radius configuration It\'s more to your windows7 supplicant configuration. Check https://supportforums.cisco.com/docs/DOC-17544 Sincerely -bino-
Hi,
how many 'how to configure PEAP' documents does the world need? this one has fewer issues than others but still has ambiguity....and this guide also contains exactly the same security prompt that the requester DOESNT want ;-) alan
Hi,
how many 'how to configure PEAP' documents does the world need? this one has fewer issues than others but still has ambiguity....and this guide also contains exactly the same security prompt that the requester DOESNT want ;-)
I don't mean to argue, but ... 1. I just want to tell requester that the problem fix is at the client side. 2. Check fig.9 and fig-10 .. looks like there is an option to cache user information and to 'not prompt user to ...' that I think (cmiiw) will give proper solution. Sincerely -bino-
Thanks for all the reply, means i have to settle it from Client end :) -Danny On Wed, Mar 6, 2013 at 10:30 AM, <bino@indoakses-online.com> wrote:
Hi,
how many 'how to configure PEAP' documents does the world need? this one has fewer issues than others but still has ambiguity....and this guide also contains exactly the same security prompt that the requester DOESNT want ;-)
I don't mean to argue, but ...
1. I just want to tell requester that the problem fix is at the client side. 2. Check fig.9 and fig-10 .. looks like there is an option to cache user information and to 'not prompt user to ...' that I think (cmiiw) will give proper solution.
Sincerely -bino-
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny
Hi,
How can i do that? We are using a cert from Global sign and we already have a root ca in our laptop, but we still need to choose that Terminate / Connect popup. It doesnt matter if we need to change our cert or etc, but we just want to eliminate that popup :)
its down to the OS and trust settings. the client needs to be configured. if you use a deployment tool then this error can be removed. likewise, if in eg AD you can have a group policy deployed to do the same. alan
On 03/05/2013 01:58 AM, Danny Kurniawan wrote:
Hello,
We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it :
How can i do that? We are using a cert from Global sign and we already
You have only a few choices: 1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use "netsh" and XML profiles to do the same - a poor mans version of #1 4. Live with it. This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor.
Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. *for example push the profile automatically from the AP etc... But now i guess i will have to deploy netsh command using script to all PC as its not joining AD :) Thanks Danny On Tue, Mar 5, 2013 at 5:28 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 03/05/2013 01:58 AM, Danny Kurniawan wrote:
Hello,
We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it :
How can i do that? We are using a cert from Global sign and we already
You have only a few choices:
1. Use a program such as su1x, ExpressConnect or similar to pre-provision the CA trust settings 2. If the machines are domain members, use group policy to do the same 3. Deploy a batch file / whatever to use "netsh" and XML profiles to do the same - a poor mans version of #1 4. Live with it.
This is not a RADIUS question; it's an issue of supplicant provisioning, which is best asked of your OS vendor.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
-- Best Regards, Danny
On 05/03/13 09:56, Danny Kurniawan wrote:
Hi All,
Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client.
You can't. It's impossible by design - allowing the AP to push CA trust settings would be a security hole.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
bino@indoakses-online.com -
Danny Kurniawan -
Phil Mayers