RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
Sorry for dragging up the old post, but what certificate from Thawte did you use specifically? TIA, --Joe From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of John Duran Sent: Wednesday, November 19, 2008 11:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? We purchased a certificate from THAWTE and installed in on our controllers to alleviate this problem. This THAWTE is a valid certificate authority already listed in all the majority of client browsers we longer see this error. John V. Duran Network Engineer University of New Mexico Information Technology Services Ph: (505) 249-7890 Fax: (505) 277-8101 Norman Elton normel...@gmail.com 11/19/2008 7:37 AM We're using a Verisign cert on IAS, but our users are still prompted to accept the cert upon initial connect. We asked Verisign about this, and they basically said, that's the way it's designed to work. We did some poking around on the interwebs, and could find a good solution. This was two or three years ago. Has anyone managed to find a cert that XP/Vista will accept without prompting? Thanks Norman Elton ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
Are you referring to an intermediate Certificate vs. a root? VeriSign only offers intermediate certificate that the WLCs before 5.1 code will not use properly. It is an issue with understanding the chaining from what Cisco tells us. We ended up going through Entrust to get a 2 Year root and it fixed our cert warning issue immediately. Douglas R. Bentley University Information Technology Systems Engineering Group 727 Elmwood Avenue, Suite 132 Rochester, NY 14620 Office: (585) 275-6550 Fax:(585) 273-1013 Mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.rochester.edu/its/ http://www.rochester.edu/its/ -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Toivo Voll Sent: Tuesday, November 18, 2008 2:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? Until now we've been using our regular web / SSL certificate for WPA / PEAP/MSCHAP purposes, and predictably have run into the usability issues with certificate trust prompts on the client end. (We use Cisco LWAPP / Freeradius). It appears VeriSign has a specific Wireless LAN Server Certificate, and apparently there is work done in IETF regarding WLAN specific extensions in certificates. After a fair bit of googling I've been unable to find out just what the difference between a vanilla SSL certificate and a Wireless LAN Server Certificate is. Presumably the WLAN certificates won't prompt for the certificate trust, but what other difference, if any, is there? Are there providers other than VeriSign for these certificates? (Thawte, for example, seems to refer back to VeriSign for such certs.) Here's the uninformative product page: http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/wireless-lan-security/ Any advice or links to documentation on the matter would be greatly appreciated. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. image001.jpg
Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
We're using a Verisign cert on IAS, but our users are still prompted to accept the cert upon initial connect. We asked Verisign about this, and they basically said, that's the way it's designed to work. We did some poking around on the interwebs, and could find a good solution. This was two or three years ago. Has anyone managed to find a cert that XP/Vista will accept without prompting? Thanks Norman Elton ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
We currently use IAS with the Verisign WLAN cert. We are going to move away from Verisign for our cert purchases. Can you use another cert authority besides Verisign for IAS? Nicholas Urrea Information Technology UC Hastings College of the Law -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Wednesday, November 19, 2008 7:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? We use Verisign and Cisco ACS on LWAPP. After the server names are listed in the supplicant config and are trusted once, we never see the cert prompt again. (Also- make sure PC date/time is correct- if the PC clock time is way off, outside of the valid cert time period, the client will never get past the verify cert bubbles- this one can be maddening to diagnose). -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Norman Elton Sent: Wednesday, November 19, 2008 9:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? We're using a Verisign cert on IAS, but our users are still prompted to accept the cert upon initial connect. We asked Verisign about this, and they basically said, that's the way it's designed to work. We did some poking around on the interwebs, and could find a good solution. This was two or three years ago. Has anyone managed to find a cert that XP/Vista will accept without prompting? Thanks Norman Elton ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
We purchased a certificate from THAWTE and installed in on our controllers to alleviate this problem. This THAWTE is a valid certificate authority already listed in all the majority of client browsers we longer see this error. John V. Duran Network Engineer University of New Mexico Information Technology Services Ph: (505) 249-7890 Fax: (505) 277-8101 Norman Elton [EMAIL PROTECTED] 11/19/2008 7:37 AM We're using a Verisign cert on IAS, but our users are still prompted to accept the cert upon initial connect. We asked Verisign about this, and they basically said, that's the way it's designed to work. We did some poking around on the interwebs, and could find a good solution. This was two or three years ago. Has anyone managed to find a cert that XP/Vista will accept without prompting? Thanks Norman Elton ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
I'm using MS IAS with the Verisign server cert, and one difference is I didn't have to install IIS to get the certificate. I don't think I had to generate a cert request either. I just entered the server name online and they generated the request and the cert for me. Those were my differences. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Toivo Voll Sent: Tuesday, November 18, 2008 1:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? Until now we've been using our regular web / SSL certificate for WPA / PEAP/MSCHAP purposes, and predictably have run into the usability issues with certificate trust prompts on the client end. (We use Cisco LWAPP / Freeradius). It appears VeriSign has a specific Wireless LAN Server Certificate, and apparently there is work done in IETF regarding WLAN specific extensions in certificates. After a fair bit of googling I've been unable to find out just what the difference between a vanilla SSL certificate and a Wireless LAN Server Certificate is. Presumably the WLAN certificates won't prompt for the certificate trust, but what other difference, if any, is there? Are there providers other than VeriSign for these certificates? (Thawte, for example, seems to refer back to VeriSign for such certs.) Here's the uninformative product page: http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/wireless-lan-security/ Any advice or links to documentation on the matter would be greatly appreciated. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?
Hi Toivo, A couple of years ago we too were setting this up and actually ended up with the Verisign Wireless LAN Server Certificate. I didn't see any particular difference between this and a web certificate, but perhaps I don't; know what to look for. What I did encounter was that the CA verisign used to sign the cert changed / was no longer valid and their response / the only work around at the time was to configure clients to not validate the certificate. I am uncertain if this was ever resolved, but we abandoned this method of secure communications as the demand for accessing network resources was determined to be non-existent and instructing use of the wired network to those users that wanted network resource access. What is to come in the future who knows, but we are planning that this may become necessary again. Sorry I don't have any advice on the documentation. Daniel Foerst Manager, Networks Security The Catholic University of America Washington, DC 20064 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Toivo Voll Sent: Tuesday, November 18, 2008 2:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate? Until now we've been using our regular web / SSL certificate for WPA / PEAP/MSCHAP purposes, and predictably have run into the usability issues with certificate trust prompts on the client end. (We use Cisco LWAPP / Freeradius). It appears VeriSign has a specific Wireless LAN Server Certificate, and apparently there is work done in IETF regarding WLAN specific extensions in certificates. After a fair bit of googling I've been unable to find out just what the difference between a vanilla SSL certificate and a Wireless LAN Server Certificate is. Presumably the WLAN certificates won't prompt for the certificate trust, but what other difference, if any, is there? Are there providers other than VeriSign for these certificates? (Thawte, for example, seems to refer back to VeriSign for such certs.) Here's the uninformative product page: http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certifi cates/wireless-lan-security/ Any advice or links to documentation on the matter would be greatly appreciated. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 226818403) is spam: Spam:http://canit.cua.edu/b.php?c=si=226818403m=25b780db56a4 Not spam:http://canit.cua.edu/b.php?c=ni=226818403m=25b780db56a4 Forget vote: http://canit.cua.edu/b.php?c=fi=226818403m=25b780db56a4 -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.