Greetings,
I am working on a enterprise authentication system for my company. Got a NPS (RADIUS) server configured to authenticate wireless clients using PEAP-MSCHAPv2. This method uses server certificates to verify the identity of the server the client is talking to. The NPS, whose name is myNPS is joined to my cloud domain (Microsoft's cloud version of Domain Services - Azure AD Domain Services), let's say the domain name is aadds.mycompany.com, so the FQDN for my NPS is myNPS.aadds.mycompany.com.
What my end goal is - to have a proper server certificate on my NPS which is signed by a public CA, where the CA cert comes preinstalled on client devices. That way I don't have to distribute CA certs to my end-users since they use BYOD devices (privately owned).
1. Is this feasible and secure? I've read that RADIUS servers should use private CA, but in that case I need to distribute all these CAs to my end users private devices, which seems way too much of a hassle, especially with BYOD.
When connecting to the Wi-Fi from Android, for the CA field, I can select the option to 'Don't validate' which doesn't check the server certificate at all. I can authenticate just fine but no server validation means someone can steal credentials using the evil twin method.
The option I want to use is the 'Use system certificates' option together with a public CA which comes preinstalled on Android. The cert I want to try out is from Let's Encrypt whose CA is DST Root CA x3, which is preinstalled on Android.
When the 'Use system certificate' option is selected, a 'Domain' field needs to be populated. This is where it gets fuzzy for me.
So if the server certificate which was issued by a public CA has the FQDN (myNPS.aadds.mycompany.com) of my server in it, the end user needs to populate the field with that FQDN or just the domain mycompany.com?
2. Does this ensure the server verification part? A malicious actor can have a rogue RADIUS for sniffing the creds, but he shouldn't be able to have a proper certificate with my FQDN in it? Or can he?
When the user enters the FQDN, it won't match what his certificate has in it.
Do I understand this correctly?
3. Is the domain field also the indicator for the client device which CA cert from it's store to use for server verification? How exactly does it do that?
Hope I made clear what is confusing me so someone can explain the exact steps this server verification process using certificates involves. Thanks in advance!
I am working on a enterprise authentication system for my company. Got a NPS (RADIUS) server configured to authenticate wireless clients using PEAP-MSCHAPv2. This method uses server certificates to verify the identity of the server the client is talking to. The NPS, whose name is myNPS is joined to my cloud domain (Microsoft's cloud version of Domain Services - Azure AD Domain Services), let's say the domain name is aadds.mycompany.com, so the FQDN for my NPS is myNPS.aadds.mycompany.com.
What my end goal is - to have a proper server certificate on my NPS which is signed by a public CA, where the CA cert comes preinstalled on client devices. That way I don't have to distribute CA certs to my end-users since they use BYOD devices (privately owned).
1. Is this feasible and secure? I've read that RADIUS servers should use private CA, but in that case I need to distribute all these CAs to my end users private devices, which seems way too much of a hassle, especially with BYOD.
When connecting to the Wi-Fi from Android, for the CA field, I can select the option to 'Don't validate' which doesn't check the server certificate at all. I can authenticate just fine but no server validation means someone can steal credentials using the evil twin method.
The option I want to use is the 'Use system certificates' option together with a public CA which comes preinstalled on Android. The cert I want to try out is from Let's Encrypt whose CA is DST Root CA x3, which is preinstalled on Android.
When the 'Use system certificate' option is selected, a 'Domain' field needs to be populated. This is where it gets fuzzy for me.
So if the server certificate which was issued by a public CA has the FQDN (myNPS.aadds.mycompany.com) of my server in it, the end user needs to populate the field with that FQDN or just the domain mycompany.com?
2. Does this ensure the server verification part? A malicious actor can have a rogue RADIUS for sniffing the creds, but he shouldn't be able to have a proper certificate with my FQDN in it? Or can he?
When the user enters the FQDN, it won't match what his certificate has in it.
Do I understand this correctly?
3. Is the domain field also the indicator for the client device which CA cert from it's store to use for server verification? How exactly does it do that?
Hope I made clear what is confusing me so someone can explain the exact steps this server verification process using certificates involves. Thanks in advance!