cancel
Showing results for 
Search instead for 
Did you mean: 

NPS and Android with Self-Signed CA

NPS and Android with Self-Signed CA

tandrews1
New Contributor

Not specifically an Extreme issue, but I'm wondering if anyone out there using NPS for 802.1x authentication has figured out a way to easily deploy their self-signed certificate to Android users with the latest OS that do not have the "Do Not Validate" option.

1 ACCEPTED SOLUTION

Adam_Minowski
Extreme Employee

The simplest way is to use commercial/trusted certificate in NPS. It's not so expensive.

It depends on situation, but you can always do it by procedural means. Basically - write procedure, publish public cert on some publicly accessible webserver, let users know about procedure (somehow) that in order to conenct they need to install cert in trusted certs store, otherwise they will not be able to join. How you will it technically, it's up to you.

When it's BYOD/Guest situation then you don't have possibility to modify trust store on client device. You can do it with MDM system, but in plenty of cases is not doable, because device owners  most probably will not give your organisation permission, to modify their personal equipment.

About "Do not validate" option: it is bad idea to use it, therefore it's good that it does not exist anymore. It pose serious security threat, especially when using PEAP.

View solution in original post

1 REPLY 1

Adam_Minowski
Extreme Employee

The simplest way is to use commercial/trusted certificate in NPS. It's not so expensive.

It depends on situation, but you can always do it by procedural means. Basically - write procedure, publish public cert on some publicly accessible webserver, let users know about procedure (somehow) that in order to conenct they need to install cert in trusted certs store, otherwise they will not be able to join. How you will it technically, it's up to you.

When it's BYOD/Guest situation then you don't have possibility to modify trust store on client device. You can do it with MDM system, but in plenty of cases is not doable, because device owners  most probably will not give your organisation permission, to modify their personal equipment.

About "Do not validate" option: it is bad idea to use it, therefore it's good that it does not exist anymore. It pose serious security threat, especially when using PEAP.

GTM-P2G8KFN