NPS + Meraki accepting cert

mak2018
Here to help

NPS + Meraki accepting cert

Been using Meraki and NPS for sometime.  Usually get a digicert installed on the NPS and users need to accept the cert the first time when authenticating.  Is there a way to just allow them to authenticate and validate the cert without them having to accept it? 

9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

If this is Windows machines, you can deploy a Windows CA.  Then put a certificate on NPS from the CA.  Windows clients will trust it without prompting.

 

I suspect, but have never tested, that if you create a group policy for the WiFi network, and configure it as a trusted certificate for the SSID in question, that users wont get prompted anymore.  You could also configure group policy to not check the certificate ...

 

As a matter of interest, what DNS name to you buy the certificate in (since the FQDN of the certificate is probably an internal DNS name)?

 

MRCUR
Kind of a big deal

For Windows, @PhilipDAth is correct. You could deploy the cert via GPO and configure it as trusted for the SSID. 

 

For mobile devices, you'd need to use an MDM solution (such as Systems Manager) to deploy a profile that includes the certificate and SSID info. Neither iOS or Android will trust certs for wireless by default without a profile telling them to do so. 

MRCUR | CMNO #12

Thanks guys. 

PhilipDAth
Kind of a big deal
Kind of a big deal

What subject name do you buy the certificate name in?  Just anything?

Initially tried to use an existing wildcard (not the norm) but in the end just bought one with the server name itself.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are your NPS server's name and domain actually a publicly listed DNS entry?

 

You can't buy certificates for private DNS domains.

Yes and no, server name isn't but the domain is.  We use split dns my man. I am good now, just wanted to know what my options were.  Been using Meraki + NPS + public certs for a long time. 

Going back to this, because its a public CA he is using... Wouldnt devices just trust it ? isnt that the point of purchasing a public CA rather than use a self-signed ? 

PhilipDAth
Kind of a big deal
Kind of a big deal


@TheoStav wrote:

Going back to this, because its a public CA he is using... Wouldnt devices just trust it ? isnt that the point of purchasing a public CA rather than use a self-signed ? 


Aa SSL certificate on a server says I am the legit owner of a DNS entry.  If you used the same DNS entry to access that server then you are talking to the legit owner.

 

For WiFi authentication the system does not connect to a DNS name.  It merely sees a certificate, and there is no way to verify that whoever is presenting it has a right to use it.

 

A lot of WiFi clients don't like seeing a self signed certificate.  However if you make a self signed CA certificate, and then create a certificate from that for the WiFi authentication, and you load your CA certificate into the client, then the client will be happy.

 

So you can use a public SSL certificate, but the client will still present a prompt asking if you trust it - because it doesn't.  Or you pre-install your own CA certificate, and the client gets no prompt, because it knows that it can trust it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels