Identity and Policy Control
Reply
Contributor
NDCool
Posts: 243
Registered: ‎11-26-2007
0

Disable validate server certificate on OAC

Hi guys,

I have testing on my lab UAC deployment, can we disable the validate server cert on OAC user profile??? Because if validate is "chacked" OAC cannot authenticate to IC.
I can not to disable it, but only can change from EAP-TTLS to EAP-PEAP.
(pict attached)
Any suggestion??

thanks
-ND-
Regards,

ND
Trusted Contributor
gdavies
Posts: 115
Registered: ‎11-05-2007
0

Re: Disable validate server certificate on OAC

Hi ND,

Yes, you *should* be able to deactivate that on OAC normally.  I'm not sure if it is prevented from being unchecked within the UAC environment.  It might make sense if the UAC creates a self signed certificate and pushes it into your certificate store on installation of OAC.  Otherwise, it doesn't make sense to block it.

I have just checked my own UAC profile and it *is* possible to uncheck the box next to Validate server certificate.

Have you tried creating a brand new profile for the UAC?  You need to set it up with EAP-TTLS/EAP-JUAC.

Rgds,

Guy
---
Guy Davies
Juniper Employee
aronow
Posts: 36
Registered: ‎11-06-2007
0

Re: Disable validate server certificate on OAC

ND,

 

You are probably missing a Trusted Server entry, or you have not added the cert to your users "Trusted Root Certificate Authority" store.  That would explain why the validate server certificate is causing your client to fail.

 

If you are trying to change the OAC configuration that gets pushed from the IC then no, that is not possible.

 

What you could do, other than making sure to add the self signed certificate to your "trusted Root certificate authority store" would be do generate a CSR and sign it with some external authority that already exists on your workstation.  Alternatively, you could sign the CSR with some local CA server, and then upload the root cert into the IC's Trusted Server CA's.

 

Then when OAC gets pushed to the endpoint, you should also see a certificate pushed from the IC and added to the users "trusted root certificate authority store" as well as a trusted servers entry added in OAC.

 

If you are trying to disable "validate server certificate" at GINA time (the Windows Logon Screen using the OAC GINA module) you can not.  You must validate the server certificate at GINA time, this is a security feature of OAC.  You can only disable "validate server certifcate" at the desktop or machine authentication.

 

Thanks

-Jeff Aronow

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.