Need some advice on learning networking

Re: Need some advice on learning networking

There's no doubt that I'm well outside the scope of CCNA setting up a radius serve. I've been sucked up into the vortex of Security Certificates. I was completely ignorant on Security Certificates. Now I understand the theory of how they work and why they're used. That's a start. Implementing them is a whole other level. It's very complicated. To be clear, I'm talking about Active Directory Security Services.

I get the feeling that I could spend days on this. Back to the grind. Hopefully I can learn this. Right now my head is spinning.

Re: Need some advice on learning networking

Just wait until you need to generate certificates for multiple operating systems and applications and tie them back to your internal CA.

Slightly different process for IIS, SQL, Apache, etc. At least with AD, all of your Windows client implicitly trust the internal certs.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking


I find it very comforting that you're around. Be sure not to go anywhere.

Re: Need some advice on learning networking

I kinda made a breakthrough today on the Security Certificates. This is some complicated stuff. Whew!!!!!!!!!


First I enabled Web Services on Server 2019. It has a default website that you can access by typing in http://localhost/

Once I got that up, I then activated https for the default site. The 2019 server can access the site with no problem because when we created it, the Security Certificate was placed in the "Root" something or another...I can't remember what it's called. But when you try to access the https site from a host computer, you'll get a warning saying "this is an untrusted site".


From there I pushed the security certificate out to all the "Trusted Root Certification Authorities certificate store" on the host computers in the domain via group policy.


Once that was completed, I no longer got the warning message when I accessed the website from a host computer.


Hey, look, this shit is cool as hell, but I haven't even scratched the surface yet. It's intimidating.

Re: Need some advice on learning networking

When I made my previous post, it was around 2:00 a.m. and I was worn out from messing around with the security certs. all day.

This morning I woke up rested and did it all over again. This time my head wasn't spinning and things were much easier.


Here's the rundown of what I did.

I created a website. (actually, I used the default website in Server 2019.)

I created a self-signed security certificate

I added the certificate to the website

I exported the certificate to all the PC's on the domain via a GPO.



I then verified that it worked by opening up a web browser and going to the website. I knew it worked because I no longer got the error message warning me that this was an untrusted site.


This was quite the education as I knew nothing about security certs.

Re: Need some advice on learning networking

If most of you know this already, I apologize for posting but this is all new to me.


The reason I spent the energy to learn something about security certificates is because they're more secure than a preshared key and (I think) they're less hassle in the long run.


This explains it better than I can.

Re: Need some advice on learning networking

You've created a self-signed certificate, which is a good first step in figuring out the logic of certificates, but for a RADIUS server or any kind of infrastructure, you really need a trusted certificate. Since none of the resources you're going to be dealing with are available online, you don't need to get paid certificates from an external provider, you need an internal certificate authority.

Active Directory provides the best way to do that since once AD knows where CA is, it implicitly trusts any certificates generated by it.

Microsoft has some good documentation on creating a certificate authority using the AD CS role of Windows server. In a small environment, it's usually best to just have a single root CA server. As environments get larger you may have a root CA server and intermediate servers that can sign for that root server. I've even seen environments where the top level CA server isn't even connected to the network at all as a security measure.


Also always, always, remember to generate your certificates with the fully qualified domain name of your host: server.domain.com. That way you're not only assuring the name of the resource, but also trusting the domain that the cert is for.




Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking


That makes a lot of sense and clears up some questions I have. That's great information and I thank you for it. I'll update after I've learning something about it. Thanks again.

Re: Need some advice on learning networking

I want to thank rthonpm for guiding me in the right direction. This kind of advice really helps speed up the learning process. Thank you.


Setting up the self-signed cert. helped with learning to set up a trusted cert.

Before we go any further, we need to understand what a "trusted" cert. is. Let's start from the beginning. When we set up AD CS (Active Directory Certificate Services), it has a folder called "Trusted Root Certificates" and it is preloaded with the "Root Internet Authorities". Side note: These are the big guys that issue public security certs. I'm not going into great detail. If you want to know more, the info. is out there.

Anyway, once our server is added to the root folder, any cert. that is issued will be trusted by any device on the network. It will not be recognized by any other PC in the world outside our our domain....unless we place the cert on there.


This is my understanding of how it works. Right? Wrong?

Re: Need some advice on learning networking

Correct. Any machine bound to the same domain will natively trust the domain's CA.

For any non-Windows systems, there is a web interface for the CA feature that can allow you to download a copy of the CA's public cert or the full domain cert chain to import into other operating systems.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking

Thus far I've set up AD CS and actually looked in the root folder to verify that my server is in there. Installing AD CS was a little tricky due to the add on's that needed installing and then learning to navigate my way around the system was challenging.


I still have to learn to create a cert. and distribute it.

Hopefully, that will be enough to get my radius server up and going.

I've enjoyed learning this and there's a hell of a lot you can do with certificates. Very important.

Re: Need some advice on learning networking

Remember, you need to create the cert request on the system you're looking to create the server for, or on a system that you can export the private key that generates the request. The end system is part of the process to help establish the two way trust between server and client.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking

I got the radius server to work - finally!!!


I spent the past couple of days working on security certificates. I used a trusted cert. for the radius sever.

Setting up the radius server was no easy task. I experienced a lot of failure along the way but when it finally worked, I felt like I had won the lottery. I'm tired.


The last piece of the puzzle was to open port 1812. I liked to have never figured that out.

Re: Need some advice on learning networking

I was so worn out yesterday from configuring the radius server that I really couldn't explain what I did. It was involved. How involved? Here's what was needed on Server 2019:


-Domain Controller
-DHCP
-AD CA (Certificate Authority)
-NPS (Radius)

All of that needed to be installed from the jump.

I had to request a new (trusted) certificate in order for the server to prove it's identity to the client. Otherwise, it could be talking to a rouge agent.

Next I had to choose the protocol in which the server and WLC would communicate. I chose PEAP because it was the most simple to configure. PEAP stands for - Protected Extensible Authentication Protocol. This protocol is still in use today, however, it was cracked some years ago and should not be used. There are other flavors of Authentication Protocols, such as EAO-TTLS. I plan on going back and installing a more secure protocol but I needed to get this working first and foremost.

This is an abbreviated version of all the things that had to be configured. I had to make a static DNS entry to resolve the host name of the WLC to it's IP address. There was a lot more.

It seems like I've spent a lot of time on the "wireless" section of CCNA but there's a lot to it when you get to the Enterprise Level. Wireless LAN Controllers take it to a different level. And when you implement RADIUS, you get into the Windows Server world.

In conclusion, a Cisco WLC allows you to place wireless users into different VLAN's and you can further restrict where they can go by using an Access List. Moreover, RADIS allows wireless users to log on to a SSID using their domain credentials and thus all wireless users are able to be centrally managed.

That's it for now.

Re: Need some advice on learning networking

Even though I know more than I did about security certs, I still don't feel like I know as much as I need to. This is a really complex subject.


Here's the way I think it works on my WCL/Radius Server.


I requested a certificate and it was placed on the domain controller. The certificate was then placed on the Radius Server as a means to verify that it has the authority to authenticate the clients.

But wait, there's more....


If we're using EAP-TLS, both the Radius Server and client use a certificate. When EAP is started, the radius sends the key (Cert) to the client. The key is gonna be used by the client to encrypt whatever needs encrypting that is going back to the radius server. Once the encrypted data is received by the Radius Server, it uses it's local key to decrypt back to plain text.

So, we have a two-way trust system and the means for encryption and decryption.

Correct me if I'm wrong.