Creating a certificate for 802.1x wireless access....

Similar Messages

• Create a certificate for non domain-joined PCs

  We have a standard AD domain wit a CA and SharePoint/Exchange servers, hosted internally and externally with TMG 2010 as our firewall. For the external hosting, we have an external certificate from one of the main certificate providers. Internally, our domain-joined
  PCs look to the CA to get their trusted certificate from.
  This is the issue I am encountering:
  Our external users (the ones whose PC is not joined to our domain) are fine when they access our SharePoint and Exchange services externally.
  However, when they are connected via VPN, they receive a certificate error and when I look in Certificate > Certification path, I can see that it says:
  "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  When such a PC connects to the same website when NOT connected via VPN to the domain, they receive:
  "DOMAIN NAME" Root CA > "DOMAIN NAME" Issuing CA1 > "NAME OF SHAREPOINT WEBSITE".
  How can I create a certificate for these non-domain joined PCs so that I can import the certificate in the Trusted Root Certification Authorities store? Thank you!

  It sounds like the question you are really asking is :
  How do I designate the internal root CA as a trusted root CA
  Run certutil -addstore root RootCert.crt (this must be run from an administrative command prompt)
  This designates the root CA as a trusted root on the client. You also may want to install the intermediate cert to the store (you are not clear on what VPN product you are using, so it may or may not do proper chain building).
  Run Certutil -addstore CA IssuingCA.crt 
  Brian

• IOS 6.0.1 - Problems with certificate based authentication on wireless access point

  Hi all
  We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
  Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure.  The numbers of affected devices increased until all iOS 6.0.1 were affected.
  Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
  "Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
  In the analysis of the issue, it turned out that  the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
  Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
  A comprehensive update to iOS 6.1.3 is currently excluded.
  Does anyone knows this issue? What else can be done (except from updating)?

  I will answer my own question in case it helps anyone else.
  It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
  To Fix I did the following:
  Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW. 
  I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway.  I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
  Created some rues on the firewall to allow...
  - IMAP-SSL (port993) outbound
  - SMTPS (port 465) to yahoo servers outbound
  - tcp port 587 to yahoo servers outbound
  - https to akamai servers
  Most http and https goes through the proxy as it should, BUT...
  It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway.  I suspect there is a bug in the icloud app? 
  Hope this helps someone else.
  -Bo

• Which EAP Type to choose for 802.1x Wireless Policy?

  Hi everyone,
  i have a question about recommendation for EAP Type in a wireless policy:
  Which configuration is more secure/recommendet?
  a)
  Authentication Type: PEAP
  EAP Type: EAP-MSCHAP v2
  b)
  Authentication Type: EAP
  EAP Type: Certificate
  We have a working configuration with a) and could Change to b).
  Thanks,
  Andy

  Hi,
  Project a uses PEAP cooperate with EAP(EAP-MSCHAP v2) is more security/recommended.
  PEAP is a new member of the family of EAP protocols. To enhance both the EAP protocols and network security, PEAP provides:
  1. Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the network access server (NAS) to cause the negotiation of a less secure
  EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server.
  2. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this.
  3. Wireless clients with the ability to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
  4. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared
  with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.
  5. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication.
  This reduces resource requirements for both client and server.
  You can choose between two EAP types for use with PEAP: EAP-MS-CHAPv2 or EAP-TLS. EAP-MS-CHAPv2 uses credentials (user name and password) for user authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart
  card for user and client computer authentication. Comparatively, the second one is more security because public Key certificates provide a much stronger authentication method than those that use password-based credentials.
  Best Regards,           
  Eve Wang 

• Creating an Azure VM from an existing snapshot, does not automalically create a certificate for remoting

  Hi,
  As the title says, I have problems with an Azure VM created from an image I captured of an Azure VM.
  For easier deployment of my server I created one, running everything on localhost, such that I could take an image of it and re-deploy this image, by which I will speed up the process of creating a server substantially. However, this process requires me to
  be able to remotely control the azure VM, such that I can reconfigure the server to use the new name.
  My problem is that the certificate which is usually created automatically for me (under the cloud service on which the VM is created), is not created when I deploy a server on a new cloud service from this snapshot I have made. 
  Can anybody help me? 
  Thanks in advance!
  Regards
  Magnus

  Hi Susie,
  Sorry for the late answer, I've had a busy last week. Thank you for answering.
  You're quite right. The scenario you describe is exactly what I've done. The reason for doing this is because I am creating a script for installing my company's product on an Azure VM. I am using powershel for this purpose and therefore I need to be able
  to remote control it from powershell.
  So far I manually transfered everything, but as it is ~70GB of files it takes alot of time. So I tried installing everything on localhost (which works perfect) and taking a snapshot of the machine, but when I spin a new Azure VM up from this image I need
  to change a few database references and IIS settings in order to make it work. To do this I was hoping to be able to remotely control the machine with powershell, but since it does not create a certfificate I cannot do this.
  Furthermore creating and uploading a certificate will, from my understanding, require me to install it on the server, which in turn will need me to manually do some work anyways, where as the whole idea of automating the process is lost.

• Speed Tests Results for 802.11ac Wireless Connections

  Using the new Apple MacBook Air with 802.11ac wireless, I tested copying a file and a folder to both the new 802.11ac AirPort Extreme router housing a USB-connected hard disk and the less recent 802.11n Apple AirPort Extreme router housing a similar USB-connected hard disk.
  The results of the tests are summarized in the table below. The movie file was ripped from a DVD movie, and the Microsoft folder is simply the Microsoft Office 2011 folder in my Applications folder containing 14,231 items.
  The MacBook Air computer was located 6–8 feet away from each router with no intervening obstructions. While this was not a scientific test, it demonstrated to me that 802.11ac wireless is clearly superior to 802.11n in a real world setting. I assume that the lower relative performance of 802.11ac versus 802.11n for the large folder containing many files is due to overhead in copying and writing files from and to the hard disks. Ditto for the Gigabit Ethernet test.

  Great resource for speedtesting: www.speedtest.net
  Will show you ping speed, upload/download speeds for your connection. Try for each then post results.

• Want to create new certificate for the SYSTEM PSE

  when i got o tcode 'STRUSTSSO2" In my system i am seeing a wrong certificate for the system PSE.
  i want to delete and and create a new certificate.
  Can some one tell me detail steps how i can remove the existing  certificate and create a new one.
  I am going to use the new certificate for SSO from portal to this server.
  Thanks
  Andy

  Hi Andy,
  To remove the System PSE, follow the procedure described in [SAP Help|http://help.sap.com/saphelp_nw70/helpdata/EN/b6/23273aafa35d46e10000000a11402f/frameset.htm].
  To create a new one, see the procedure [here|http://help.sap.com/saphelp_nw70/helpdata/EN/07/03473cbff75b01e10000000a114084/frameset.htm].
  Regards,
  Henk.

• How tto create exp certificate for an employe?

  Hi All
  my requirement is to create the experiance certificate for the employee...
  can any body give brief idea regarding this...
  Thanks in Advance
  Sandeep

  You can use the READ_TEXT function module to retrive the std texts created in SO10.
  ~Suresh

• Creating Digital certificates for SOAP Receiver Adapter

  Hi
  In Visual Admin...> if we go to the "key storage" and try to create the certificates, we have the options of
  selecting the below algorithms.
  RSA-512,1024
  DH -512,1024
  DSA-512,1024
  But SOAP Receiver Adapter supports only the below encryption algorithms.
  3DES
  DES
  RC2-40
  RC2-64
  RC2-128
  Still if I try to use any of the RSA, DH, DSA algorithms to create the certificates in visual admin and if I
  use the same certificate in SOAP Receiver adapter, I am getting the below error in sxmb_moni
  com.sap.aii.af.ra.ms.api.DeliveryException: Unsupported keysize or algorithm parameters.
  Could you plz advise, is there any provision in XI to create the certificates using the algorithmS 3DES, DES, RC2 ? or We got to import the certificates from third-party which supports 3DES, DES and RC2 ??
  Regards
  kumar

  can't wait further so closing the thread

• Radius for 802.1x; Remote Access and Wireless authentication

  Looking to use a single Radius platform for authenticating Remote, wired and wireless users and machines. Anyone with some experience with that use to share some lessons learns...

  Hello Richard,
  there is a previous post from a user who wants to add authentication to his Cisco ACS Radius server for wireless clients, it might be worth contacting that user to see how he resolved this...here is the link to the thread:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9504e
  Also, have a look at the document below, which talks about the issue:
  Selecting an EAP Method: the RADIUS Authentication Server Component
  http://www.interlinknetworks.com/news/newsletters/20031104/tech.htm
  HTH,
  GP

• Alternatives to MS workstation authentication certificates for 802.1x?

  I found out recently the hard way that the Certificate Authority bundled with Windows Server 2008 won't load the 'workstation authentication' certificate template.  (You need 2008 Enterprise/Datacentre or 2008 R2, or any edition of 2008 R2).
  Does anyone know of alternative ways of authenticating a device using 802.1x?
  thanks,
  David.

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• How to Create SSL certificate for HTTPS Connection in SAP PI

  Hi,
            I have Proxy to HTTPS scenario. I need to provide my SSL certificate( SAP PI SSL Certificate) to the vendor.
            How to generate SAP PI SSL certificate. I have already imported vendor certificate using STRUST T-code.
           I am not sure from where to generate SAP PI SSL certificate that need to be shared with vendor.
           Please help me on this issue.
  Thanks,
  Siva

  Hi,
  Check if it helps:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
  But as mentioned for the colleague above, you can create that on Visual Administrator Tool -> Keystore
  Regards,
  Caio Cagnani

• Trying to create a password for router and wireless adapte

  I was reading through alot of posts and just couldnt find an answer that worked.
  I have a linksys wireless router, never had a pass set up on it, and lately
  I find someone is connecting to my internet and I would like to put a password
  on it. I found these instructions... but it wouldnt accept admin as the password
  to allow me to create a new one. I followed these instructions.
  "The default password of the router is admin. If you have set up a password  before, it will not recognize the default admin.Hold the reset button of the router for 10secs and it will retrieve the default admin...To change the default password, lauch internet explorer(pc should be connected to the router hardwired), type on the address bar, 192.168.1.1--it willl prompt for a username and password, leave username blank and password will be admin...It willl bring you to the set up page of the router..click on the administration tab and from there you can create your new password for your router... To encrypt the wireless network refer to our website, www.linksys.com/kb and search for answer id 759...it will walk you through with the process..."
  I am using windows XP for OS and the Wireless G? The router is on my main PC
  and the adapter is on my other PC. How do I go about obtaining a password on this? The Model # for the wireless piece is WMP54G not sure what it is on the actual router.
  Message Edited by FullSmile on 09-17-2006 11:11 PM

  If the router is not accepting the default admin password even after a reset of 10 sec you can hold down the reset button for 30 sec and if that doesn't work even,the other options would be to change browser settings,try a different comp, try upgrading the firmware of the router through tftp.exe.You can download the tftp.exe file from ftp.linksys.com/pub/network.

• To create new user for rpd with Admin access in obiee 10g

  Hi All,
  I need to create a user in RPD which has equivalent privileges as Administrator in RPD.Please note that this is for accessing RPD Admin not for Dashboard admin access.Can anyone please let me know of how we shall implement this?..
  Regards,
  Vengatesh.

  Hi,
  Create a user and give the check box for 'Administrators' group and check.
  If required give 'Presentation Service Administrator'group too.
  In Settings->Manage Privileges you can restrict the user to the Answers.
  Hope this helped/ answered
  Kind Regards
  MuRam

• Lost my Certificate for 802.x authentication

  Somehow my Active Directory setting for my cerificate is missing. I had a vendor install this originally and I thought it was on the Raidus server somehwere but it is nowhere to be found. I know that because computers that don't have it tell me it is missing and it can't authenticate. If I create another cert on the same Radius server will it match the original or do I have to basically install a whole new and push that out etc.? I am using the self signed one out of the Windows Resource kit as per teh Ultimate Guide to Wireless on TechRepublic.
  thanks
  Gary

  You can regenerate a cert for the user on AD and push it via a GPO. I don't have the procedure under my hand but that should be easily documented on microsoft side. The radius server will have no role in this