When attempting to connect to our company wireless while not on the domain, I receive a message saying that our RADIUS server provided a valid certificate issued by our root CA, but that the root CA is not configured as a valid trust anchor (on a windows 7 machine).
The root CA has to be manually checked off under security for the wireless network connection in order to remove this message. What is the point of manually telling the system to trust the Root CA? Isn't that the point of having a trusted root CA? Is there any way around this? It becomes an issue when users think our connection is insecure or certificates are out of date. I can't manually configure every machine that may use the wireless.
Best Answer
Think about your question for a second.
The "root CA" is the "root CA" for your domain. So yes, it will be trusted by members of your domain, and not by machines that aren't joined to your domain. In fact, if you could get machines to automatically, arbitrarily trust your CA, that would be a rather big security hole rather than a security feature (and is precisely how Stuxnet and Flame installed themselves - with forged certificates from universally trusted CAs).
You should be distributing certificates and CA trusts through GPO, (auto-enrollment) which means you don't have to manually configure every machine that needs to use the wireless, and you can make your life a lot easier by only allowing domain-joined machines (that have those certificates and trusts pushed out to them) onto the company wireless network, precisely so you don't have to manually issue certs and trusts. Of course, you can decide to allow any device that doesn't have the trusts and certificates to use the wireless... but the symptoms you're seeing is the price you pay for doing so.
You can also set up a secondary wireless SSID, protected with a password and segmented off from the corporate network to allow your users to surf the web with their personal devices (and is what we do), if you can't lay down the law and just say "no" to personal wireless devices at the office.