SOTI Pulse Logo

How are you handling WIFI certificates?

M
MaikStrassmann
KWS SAAT SE

Hi!

I wanted to find out how other companies work with WIFI certificates.

In our company, the global IT management requires that each device has its own/individual wifi certificate which is names as the device. This would ensure that the devices could be clearly assigned in the various security tools, which supposedly doesn't work so well if they all have the same certificate name.

We have an AD account configured via the Certificate Authority. This account issues the certificates for the device.
This must be exported and assigned to the user object in AD. This means a lot of manual effort.
In addition, the personal certificate must then be selected in the Wifi Settings, because it is called differently for each device and therefore cannot be selected automatically.

I can't imagine that other companies also use this variant because it is far too laborious.

I would like to hear what you think of the configuration and the procedure and even more, how you handle it?

Best regards

Maik

3 years ago
SOTI MobiControl
ANSWERS
MD
Matt Dermody Diamond Contributor
3 years ago

I often tell whoever is mandating individual device certificates that it can be supported but they will be personally responsible for installing the certificate on every device themselves. The requirement often magically disappears after that...

M
MaikStrassmann
3 years ago

I was expecting an answer like that, haha.


The statement was: the benefit is not in relation to the set-up and maintenance costs.

The problem is also that if we have to change anything in the wifi profile (another proxy exception for example) all devices go offline and no longer use the manually selected certificate.
This is also a huge problem...

Of course, we also don't have staging wifi to make it even more difficult.

TG
Thomas G.
3 years ago

Hi,

without a staging network it won‘t work, of course. But generally, device individual certificates are not a problem, we use it with thousands of devices. The part in MobiControl is only a few clicks, but the other components like CA and Radius Server and also the devices are often the things which causes effort.

M
MaikStrassmann
3 years ago

Hi Thomas,

I think the chance of getting a staging wifi is still relatively realistic.
That we get the certificate settings adjusted to 1 certificate per location or something similar is rather not.

Maybe we have made a mistake, but this is how we have configured it:


We have set a Certificate Authority. This creates a certificate for an AD enrolment user of ours which is named like the device/MDE via the certificate template "KWS Handhelds_2".

We then have to export the certificate from this enrolment user and insert it into a user account in AD, which is again called the same as the device. On the device, we then have to go to the WIFI settings and manually select the user certificate again.

Yes, it works like this, but I think it can be done more nicely.

I would have expected that the user certificate would somehow be selected on its own. Especially because the users tend not to find this setting themselves.

Best regards

Maik

M
MartinsKl
3 years ago

I don't think it so laborious. I create AD accounts with powershell and then assign ether by hand for few or script using api for many. You can also assign in bulk from CSV, but personally I haven`t used it really. Also username is in device name so if device is reenrolled its possible to just use device name to assign back the AD user using scripts.

M
MaikStrassmann
3 years ago

Hi,

I dont have enough rights as I´m only on client/user side, so I can not test it on my own. But that might also be a solution to somehow improve the situation.

Thanks!

TG
Thomas G.
3 years ago

Hi Maik,


we do not use Microsoft's ADCS and NPS. We had ADCS in use a couple of years ago for another MDM with iOS devices, and i remember that certificates were issued by SCEP. There were no domain user accounts 
needed or given, we used only a template in the CA connection to create the CN in the certificate individually per device.
The "real pain" for us was (or would be) NPS, as a domain user account  is mandatory and this was a showstopper for us. Radius server products from other manufacturers like Cisco support but do not require a domain user account. We authenticate the device only by the certificate. 

I'm not sure why you have to choose the certificate on the device manually, particually as its given in the device's crendentials storage. This is not the case on our devices.
The only thing i see on your screenshot is that the CA certificate is missing. Usually, all the certificates included in the 'chain of trust' have to be given in the certificate configuration,which in the same profile as the Wifi configuration.
The issue could be also be within the device / OS, we had a POC with a device manufacturer and in the beginning a EAP-TLS profile could also not be configured correctly.

M
MaikStrassmann
3 years ago

Hi Thomas,

The not selected User certificates also quite confuses me and if I remember correctly it was set before.

I will create a new test profile and see if it may improve our situation.

Thanks!

Maik

MK
Martin K.
3 years ago

I have seen at a customer installation they aer using the MobiControl Devicename as Name of the certificate and let create in their AD for each requested certificate a computer object )with some third party tool unkown to me)

In the wifi configuration the username ist again the %DEVICENAME% bit this time with an added $ so for the Microsoft NPS it is like an authentication with the computer account.

The customer is using Ethernet Cradles for staging, devices are Honeywell CK65.

M
MaikStrassmann
3 years ago

HI Martin,

the Idea with %DEVICENAME% is great! I will test it today, sounds atleast promising so far :)

Best regards

Maik

LC
Leon Callsen
3 years ago

Hi Maik, 

do you had any success with the method from Martin? 
If so would you be so kind and share the solution with us? 

M
MaikStrassmann
3 years ago

Hi Leon,

We are currently still having a few problems as we have adapted the certification server. But the %DEVICENAME% setting works well. The devices have to authenticate themselves with their name on the WLAN and this now works as desired.

R
RSMOD@SOTI
3 years ago

Hi Maik, 

Thanks for your post on SOTI Central and I'm sorry for such delayed response.

Since you posted this query, has your requirement about WiFi certificate been changed?

If so, can you please let me know your current requirement?

Do you just want to hear any use cases from different customers and or need any information like best practice?

Similar Discussions