Windows xp wireless validating server certificate
Windows xp wireless validating server certificate - dating hampshire new
We're deploying a wireless networking using Windows Server 2008 NAC as a RADIUS server.
The open network redirects to a custom captive portal (using HTTPS and a normal certificate issued by a CA) where users signed up and provided payment information.
In order to enable the client to connect we have to add the network manually and un-check the "Validate server certificate" as shown in the screenshot below.
Does anyone know of a way to avoid having to do this?
Students can use their BYOD devices to connect and reach the portal, pass their user authentication credentials to the portal and the portal can then talk to the RADIUS server.
Eduroam is another popular choice for educational organizations.
When you list root CAs from other organizations in the "CA_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS. It is easy enough to distribute certificates using GPOs. Baring that, do your own star certificate (that is signed by a Root CA), you could sign your RADIUS server's certificate with?
The disadvantages of the first two options is that it opens your 802.1X scheme up to Mi TM attacks.We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn't fixed it.These machines belong to the end users so we can't easily control settings with group policy or registry hacks.This only happens with the 802.1x ssid (staff) and not with the PSK ssid (for guests).I then verified that the only way for a windows computer to connect to this is to uncheck the "verify the server's identity by validating the certificate" option while manually adding the profile. I just deployed a setup very similar to this last week, to provide Internet access to a week-long campground event.I don't know how you generated your public and private key-pair for your RADIUS server but generally speaking it will either be self-signed or signed by a certificate authority.