Friday, March 19, 2021

802.1x wireless authentication - server certificate confusion

Greetings,

I am working on a enterprise authentication system for my company. Got a NPS (RADIUS) server configured to authenticate wireless clients using PEAP-MSCHAPv2. This method uses server certificates to verify the identity of the server the client is talking to.

The NPS, whose name is myNPS is joined to my cloud domain (Microsoft's cloud version of Domain Services - Azure AD Domain Services), let's say the domain name is aadds.mycompany.com, so the FQDN for my NPS is myNPS.aadds.mycompany.com .

Use case #1: Android

When connecting to the Wi-Fi from Android, for the CA field, I can select the option to 'Don't validate' which doesn't check the server certificate at all. I can authenticate just fine but no server validation means someone can do damage using the evil twin method.

The option I want to use is the 'Use system certificates' option together with a public CA which comes preinstalled on Android. The cert I want to try out is from Let's Encrypt whose CA is DST Root CA x3, which is preinstalled on Android. This way I don't have to distribute any certificates to my end users.

This is where I get confused (which may stem from my bad understanding of certificates) - when I select the 'Use system certificates' option, I need to input a domain. ​

  1. What domain does this need to specify? aadds.mycompany,com? The FQDN?
  2. How does it provide the connection between the server certificate the NPS server provided upon connection and the public CA that signed the server certificate?

What I thought of doing is generating an Let's Encrypt certificate specifically for the NPS server (perhaps using the FQDN?), after which the user enters the FQDN in the domain field which matches the FQDN in the cert and the user successfully gets authenticated.

Am I approaching/thinking about this correctly? Would this work?

Use case #2: iOS

When connecting to the Wi-Fi from iOS devices, the device just displays the cert on the screen and asks the user if it wants to trust the server. I really am not a fan of this since expecting the users to manually check the domain name in the certificate (which is shown on the screen) introduces the factor of trust, where I trust (I don't) my end users to actually do that step every time.

For iOS I am baffled about what to do.

Any useful comments are very much appreciated!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)