Your Certificate Expired and Broke My Device

Your Certificate Expired and Broke My Device 

Certs are easy to manage, said no one

Certificates are a wonderful thing for security but a horrid one for management, especially if you have no formal process in place for renewing them. A quick web search will turn up countless posts and articles about expired certs breaking organizations and causing chaos.

This post is not about managing their expiration as I believe operational leaders need to make it a priority in the months prior and have a formalized plan. Instead I will focus on the technical side of supporting users and departments from a network administration perspective.

Most network professionals know the certificates on their devices do not hinder client connectivity. The obvious caveat to that is when you forget to update your EAP cert(s) or use your infrastructure as the CA. However when something doesn't connect to the network we all know the phone calls or tickets that come in saying the network is down or your certificate expired and broke my device.

Its not me, its you

This was my dilemma recently. With the root certificate expiring soon I got to work updating our NAC with all the necessary new ones, most importantly the certificate used for our EAP methods (PEAP-MSCHAPv2 and TLS). My goal was to update the EAP certificate first as I knew this would be the biggest cause for concern and I did not want that update to coincide with the root expiring. After difficulty getting our NAC updated, the nodes were now using the new certificate with minimal impact to endpoints. Minimal since some of our laptops were unable to reconnect without user intervention to click accept on trusting the network. After speaking with our device admin we were unable to determine why this only happened on laptops and not other wireless PCs. In any case, the critical piece of my puzzle was complete and everything was authenticating. Yay!

That is until the following week when the root certificate finally expired. Falling asleep before the expiration (because there's nothing I can do) and making it almost through to the morning until the on call woke me up stating our service desk claims the primary SSID for VoWiFi phones was down. Thinking this is an interesting assertion as we use a central wireless controller with centralized switching, if we had a problem surely we’d have other issues with other production SSID’s. Sleepily I hopped on my computer and began to parse through RADIUS logs. A short time later I confirmed my initial suspicion, the devices had not received the updated root certificate.

After that call my week became consumed by troubleshooting requests even though there was nothing to troubleshoot from my perspective. Still, I believe in teamwork to an extent, primarily for those who are on the ground helping out individuals. This did not remove any frustration that was incurred when attempting to explain the issue to everyone unfortunately. As everyone became aware of the issue, other teams began double checking their devices and the problems slowly cleared up. The focus quickly moved away from us and towards the root (pun intended) issue.

Did we learn anything?

No project good or bad should be put to rest without some lessons learned. For me the biggest lesson learned is to do you due diligence and start a new or otherwise unknown process far in advance. This was my first time updating certificates for an organization this large using an enterprise grade NAC. During the process I uncovered many issues that required extensive troubleshooting to correct before I could begin renewing everything. Things from communication errors between nodes, necessary restarts, failed backups and implementing best practices for this particular appliance. The other primary lesson is always document and be able to give an executive summary of what you are doing. Not too much or too little information is key to providing leaders with enough detail to transfer to other leaders who may be less technical. Lastly, be prepared to troubleshoot. Know the possible issues and know how to look for them. Set aside time after the go live (the overall one, not just your piece) to assist and understand how other teams changes interact with yours.

Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more