Meraki

mak2018 · ‎Apr 11 2018

Been using Meraki and NPS for sometime. Usually get a digicert installed on the NPS and users need to accept the cert the first time when authenticating. Is there a way to just allow them to authenticate and validate the cert without them having to accept it?

PhilipDAth · ‎Apr 11 2018

If this is Windows machines, you can deploy a Windows CA. Then put a certificate on NPS from the CA. Windows clients will trust it without prompting.

I suspect, but have never tested, that if you create a group policy for the WiFi network, and configure it as a trusted certificate for the SSID in question, that users wont get prompted anymore. You could also configure group policy to not check the certificate ...

As a matter of interest, what DNS name to you buy the certificate in (since the FQDN of the certificate is probably an internal DNS name)?

MRCUR · ‎Apr 12 2018

For Windows, @PhilipDAth is correct. You could deploy the cert via GPO and configure it as trusted for the SSID.

For mobile devices, you'd need to use an MDM solution (such as Systems Manager) to deploy a profile that includes the certificate and SSID info. Neither iOS or Android will trust certs for wireless by default without a profile telling them to do so.

MRCUR | CMNO #12

mak2018 · ‎Apr 12 2018

Thanks guys.

PhilipDAth · ‎Apr 12 2018

What subject name do you buy the certificate name in? Just anything?

mak2018 · ‎Apr 12 2018

Initially tried to use an existing wildcard (not the norm) but in the end just bought one with the server name itself.

PhilipDAth · ‎Apr 12 2018

Are your NPS server's name and domain actually a publicly listed DNS entry?

You can't buy certificates for private DNS domains.

mak2018 · ‎Apr 12 2018

Yes and no, server name isn't but the domain is. We use split dns my man. I am good now, just wanted to know what my options were. Been using Meraki + NPS + public certs for a long time.

TheoStav · ‎Apr 24 2019

Going back to this, because its a public CA he is using... Wouldnt devices just trust it ? isnt that the point of purchasing a public CA rather than use a self-signed ?

PhilipDAth · ‎Apr 24 2019

@TheoStav wrote:
Going back to this, because its a public CA he is using... Wouldnt devices just trust it ? isnt that the point of purchasing a public CA rather than use a self-signed ?

Aa SSL certificate on a server says I am the legit owner of a DNS entry. If you used the same DNS entry to access that server then you are talking to the legit owner.

For WiFi authentication the system does not connect to a DNS name. It merely sees a certificate, and there is no way to verify that whoever is presenting it has a right to use it.

A lot of WiFi clients don't like seeing a self signed certificate. However if you make a self signed CA certificate, and then create a certificate from that for the WiFi authentication, and you load your CA certificate into the client, then the client will be happy.

So you can use a public SSL certificate, but the client will still present a prompt asking if you trust it - because it doesn't. Or you pre-install your own CA certificate, and the client gets no prompt, because it knows that it can trust it.

Meraki

Community

NPS + Meraki accepting cert

NPS + Meraki accepting cert