Windows and 802.1X issue...

[deanwebb]

Our Windows PCs throw up a warning message when we change our RADIUS back-end from our old ACS to its replacement... did the same for other RADIUS servers, when we were doing NAC testing. Is there any way to get rid of that pop-up (other than clicking "Connect", which pretty much gets rid of it... but our project manager doesn't want user interaction...)?


I did see something on MSDN about using some C++ code to identify the new RADIUS server as a trusted host... and I have no clue how to do that coding business.

[wintermute000]

Cert related? Just went through hell refreshing certs for several different NPS profiles for radius wireless auth, and discovered the joys of how different devices react differently to same certs signed by same CAs.


IIRC there are group policy options to tune windows behaviour re: cert validation / CA validation, and this is a lazy shortcut (usually undocumented lol) often taken by orgs that don't want the headache

[deanwebb]

Yeah, it's cert-related. Right now the NAC project wants a cleaner way to make the change, and the wireless project figures the end users can click on a "connect" button just fine.

[killabee]

Are you referring to the Windows error that comes up and says something like "the certificate is untrusted....blah blah.....Connect or Terminate"?

[mynd]

Are you referring to the Windows error that comes up and says something like "the certificate is untrusted....blah blah.....Connect or Terminate"?

I'm working on FlexConnect with Backup Radius configured. So far it's working, but I've ran into this issue myself many a time. I've tried digging into it, but haven't had much luck in finding the cause/resolution.

[wintermute000]

You can turn that off in group policy... But for guests you're at the mercy of whatever their os does. Just make sure your certificate is from a CA that is in everyone's factory trusted root CA  list

[deanwebb]

Killabee: that is the very one. The very one.

Mynd, this is what I have on it:

Microsoft Technet articles point to the fact that, by default, Windows devices do not trust CAs and that new CAs need to be added to each client. This addition can be done with a one-time click on the "Connect" button on the alert, or by adding the new authenticator's certificate via group policy.

This is independent of the PKI system. To deal with the alert, we either need to provide a communication to end-users that specifies four steps to follow, or we need to be able to push the new credential to the clients, either via group policy or an SCCM package that executes code such as found on http://msdn.microsoft.com/en-us/library/windows/desktop/aa376562%28v=vs.85%29.aspx (Code is in C++)

The user communication would be: (adapted from communication used by MIT for the same issue)

The security alert lets you know that the RADIUS authentication server you are connecting to is not necessarily a trusted source.  This is because of the root certificate (company) uses to sign the server certificates.

You can connect to the (company) wireless network by confirming that you are connecting to a (company) server and trusting the (company) security certificate. To do this:

    Open the Details for the security message.
    Confirm that the RADIUS Server is (new RADIUS server)
    Confirm that the Root CA is (company root CA)

    If the above matches the certificate details displayed on your computer, then you can safely click Connect and use the (company) wireless network.

    If the RADIUS Server is not (new RADIUS server) OR the Root CA isn't (company root CA), click Terminate and notify the Helpdesk.

***

That last sentence is much more gentle than "drop your PC and run away, then notify the Helpdesk, or else U B H4XX0RR'D!!!".

[wintermute000]

I found this in my inbox re: this topic. Take note of where the relevant cert store is in windoze , its NOT where the normal trusted root CAs are for resolving websites


-------------

By default, windows domain member, wireless clients do not trust ANY 3rd party root CA's ; regardless of whether it is in the local computers trusted root store.
http://support.microsoft.com/kb/2518158http://support.microsoft.com/kb/2518158

A CA is considered to be trusted (by a domain member wireless clients) only if it exists in the "NTAuth" system registry store found in the CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location. This is propagated down to the members from AD.

This means that when xxxxx SSID, were first provisioned - EVERY client had to proceed pass this security popup - and this was never resolved.

To resolve properly; the 3rd Root CA cert chains have to be loaded into the NTAuth store at the root forest for the domain.
http://support.microsoft.com/kb/295663http://support.microsoft.com/kb/295663

Once this is done..:
"To force the NTAuth store to be immediately populated on a local computer instead of waiting for the next Group Policy propagation, run the following command to initiate a Group Policy update:
dsstore.exe -pulse"
http://support.microsoft.com/kb/281245http://support.microsoft.com/kb/281245

Job done, properly. There'll be no popups.

[deanwebb]

Now it's up to us to determine if installing the cert for the new RADIUS servers on all the root DCs and then running certutil.exe on all the workstations globally is more or less disruptive than sending the email that says "click connect."

[hizzo3]

Now it's up to us to determine if installing the cert for the new RADIUS servers on all the root DCs and then running certutil.exe on all the workstations globally is more or less disruptive than sending the email that says "click connect."

Lol. Don't you love users?

[mynd]

Microsoft Technet articles point to the fact that, by default, Windows devices do not trust CAs and that new CAs need to be added to each client. This addition can be done with a one-time click on the "Connect" button on the alert, or by adding the new authenticator's certificate via group policy.

In my scenario, this isn't quite true. I've hit "Connect" many a time and it still pops up now and then with the same information each time.

You can connect to the (company) wireless network by confirming that you are connecting to a (company) server and trusting the (company) security certificate. To do this:

    Open the Details for the security message.
    Confirm that the RADIUS Server is (new RADIUS server)
    Confirm that the Root CA is (company root CA)

With Win2k8R2, I just setup the Radius to use a self-signed cert (mostly testing right now, though I doubt they'll approve a cert...); however, the alert I am seeing is showing different info for the RADIUS server (AP31G-708105036138) and the Root CA (Cisco Root CA 2048)

I suspect this is because we are using FlexConnect with Local Auth with using 1x, instead of Central Auth ... I've not found much documentation on my particular setup, though I know it's supported and works.

--Richard

[deanwebb]

Mynd: there are some boxes that have the multiple "connect" issue. Those are the head-scratchers...

For the second part, each different auth will have its own settings. Our RADIUS controller's cert was signed by our CA, so at least we don't have a standalone self-signed cert to deal with.

[icecream-guy]

Now it's up to us to determine if installing the cert for the new RADIUS servers on all the root DCs and then running certutil.exe on all the workstations globally is more or less disruptive than sending the email that says "click connect."

1st option, it's what keeps us employed and well paid.....

solution must not inconvenience customer (at least that's the jibe we get here)

[deanwebb]

Since we have group policies for cert management, we're looking at the first option, without having to run certutil.exe on everyone's box.