We run 802.1x on a single SSID and supplicants can auth using EAP-PEAP (password) from their mobile devices since its close to impossible to install certificates on guest devices. We are running into a counter-intuitive problem that requires users to bypass the “untrusted” certificate from our Cert Authority during the first time they have joined the SSID. This causes confusion because nowadays even the most casual users know to not accept untrusted certs.
We have tried to work through this but have reached the conclusion from various sources that devices don’t validate the certificate provided by 802.1x against the pre-installed directory of public root certificates. This means the only way to get rid of the untrusted certificate error is to deploy another convoluted onboarding system to install certificates. The onboarding system is more hassle than its worth so we end up having to tell users to ignore the warning.
Please tell me I’m missing something or this is going to change. This just seems moving backwards and bad for the industry in general especially trying to get users to practice good infosec.
No comments:
Post a Comment