Certificate issues typically are due to trust or name resolution issues. Does the new certificate match the DNS name of your controller? Did you self-sign the certificate or purchase from an online CA like Verisign or GoDaddy? Sometimes CA's use intermediate signing certificates as well, do you properly chain these certs on the controller? If this is only for domain-managed computers, you can add the signing cert to your Trusted Root Certification Authorities in group policy. I'm not aware of any method to do this globally on an OS that doesn't participate in group policy, though it might be possible through some sort of scripting.
The following link explains how to chain your certs on the controller: https://supportforums.cisco.com/docs/DOC-13954#Putting_the_CA_certificate_and_all_other_certificates_on_the_controller_as_well_51_and_later Regards, --------------------------------------------------------------------------------------- Gavin Pyle | Network Engineer | Green River Community College gp...@greenriver.edu<mailto:gp...@greenriver.edu> Breathe easy - Green River is now tobacco-free!<http://www.greenriver.edu/about-grcc/policies-and-procedures/new-policies/ga-02-tobacco-use.htm> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Mr. Michael Sent: Monday, April 15, 2013 8:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Our wireless network consists of a two Cisco wireless controller, 240 APs and we use Cisco ACS 5.2 as our RADIUS server. One of our wireless networks is configured to use WPA/WPA2 with 802.1x and PEAP w/ MSCHAP v2. After updating the server certificate on the ACS, our wireless users were asked to verify or validate the server certificate before gaining access to the wireless network. This requirement generates numerous helpdesk tickets and many more questions as to why the users must do this, when they don't have to do it on any other wireless network. I have asked Cisco for assistance but they informed me that what we are seeing is the normal behavior for the wireless supplicants and that the user must manually verify the authentication server certificate when a wireless profile is created for the first time or after the server certificate is changed on the ACS. I know we are not the only one seeing this requirements, numerous other University have publish wireless tutorials asking their user to verify the certificate as part of the initial setup of the wireless profile. I know we can eliminate this requirement in Windows machines by just unchecking the validate certificate option, but this is not an option on iOS machines. We use the 3rd party certificate by Incommon and have install both intermediate and root certificate on the ACS. Has anyone found a solution to this problem? Or is this just the default behavior of the supplicant that we are seeing? Thank you for your assistance. mike Michael M. Williams Network Systems Analyst Information Technology Services Tarleton State University 201st St. Felix Str. Box T-0220 Stephenville, TX 76402 Information Technology Services staff will never ask for your password in an email. Don't ever email your password to anyone or share confidential information in emails. Confidentiality Notice: This electronic message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
