802.1x automatically validate certificate in windows clients

Jona asked:

We’re deploying a wireless networking using Windows Server 2008 NAC as a RADIUS server. When Windows XP or 7 clients connect they initally fail to connect.

In order to enable the client to connect we have to add the network manually and un-check the “Validate server certificate” as shown in the screenshot below.

Does anyone know of a way to avoid having to do this? We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn’t fixed it.

These machines belong to the end users so we can’t easily control settings with group policy or registry hacks.

enter image description here

My answer:

I just deployed a setup very similar to this last week, to provide Internet access to a week-long campground event. This is the approach I used and some lessons learned:

First, I used multiple SSIDs to provide the primary network on WPA2-Enterprise, and an open network for user enrollment. The open network redirects to a custom captive portal (using HTTPS and a normal certificate issued by a CA) where users signed up and provided payment information. After payment is complete, users are enabled in the RADIUS database, and can then reconnect to the WPA2-Enterprise SSID to get online.

Since I had a hard deadline to get it up and running, it was only tested with Android and iOS, neither of which had any real problem. In production I learned pretty quickly that Windows didn’t like it at all.

  • Windows XP needed SP3 to use the secure network at all, so I kept a local copy as a direct download on the captive portal. One user actually showed up with XP SP2 and had to be updated.
  • Windows XP, Vista, and 7 refused to connect with the username and password, but never actually complained specifically about the server certificate. I discovered that this was the cause by trial and error with the first Windows user to sign up. Actually manually setting up the network profile was pretty straightforward once the issue was identified.
  • Windows 8, iOS, and the GNOME/Ubuntu version of NetworkManager prompted about the RADIUS server certificate, but allowed users to accept the certificate and connect.
  • The KDE version of NetworkManager never attempted connection without manual configuration, and the defaults it chose were wrong. Fortunately only one user showed up with this specific configuration.
  • No one requested support for Mac OS X. I later learned that Mac OS X clients connected with no problems.

To avoid all this trouble, in the next iteration (i.e. next year) I plan to offer to install the server certificate directly from the captive portal, so that users (mostly Windows users) won’t have an issue logging into the secure network.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.