Cisco WLC w/1142 AP's
On windows 7, wireless Protected EAP properties sheet (Windows zero config) If a specified Root-CA is selected will the TLS tunnel be formed with the Radius server or the Root CA? The Root CA is located over a WAN link and the connection works. The radius server is local. What kind of issues may I expect to see.
Is this a valid configuration or should the Certificate of the Radius server be put in the trusted root store?
The TLS tunnel is usually created between the supplicant and the authentication server. In this case, it's most likely the wireless client and the IAS (RADIUS) server. I'm not sure if Cisco can do EAP termination on the AP, but if so, that might be another place the TLS tunnel could be terminated.
The main point is, the tunnel is not actually created to the CA unless for some reason your CA is also hosting IAS. If your IAS server is local this should work just fine for you even though the root CA is remote since the root CA is really just the CA that issued the cert. being used locally by RADIUS.
The TLS tunnel doesn't go to the CA. It is between the supplicant (client) and the authentication server. The CA signed certificates is about trusting the identity of the other end. Your setup sounds fine. The server will present its certificate to the client who will then check it against its stored CA certificate, and vice versa. Think, if the client hasn't got connectivity at all yet during authentication, it can't go and check a certificate online, which is why it has to have the CA stored locally.
Thanks for the update.