Re: [External] Re: [WIRELESS-LAN] securew2 root ca radius server cert change
TL;DR: Everything Ryan said applies to PEAP too. We have extensive experience on the PEAP front. We used to run an InCommon certificate, and devices prompted to verify. (Windows, Macs, and iPhones use a different store to verify 802.1X certs, so no cert chain is trusted out of the box - there is no cert you could provide to make them happy.) So we migrated to a long-validity private CA that our CISO manipulates using openssl(1), and we distribute the CA using eduroam CAT. All is well in the world. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, May 27, 2020 at 1:53 PM Philippe Hanset <005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote: > > Somewhat related to this thread, if you are planning to switch to EAP-TLS, > please consider using ECC (Elliptic Curve Cryptography, small certs) > Certificates. > They make EAP-TLS much more compatible when authentications cross many > network devices ( related MTU size issues), especially if you do not control > those devices. > We have had many failed authentications on eduroam with EAP-TLS (using 2048 > bits certs) due to MTU mismatch on network devices across the entire > federation. > > Best, > > Philippe > > Philippe Hanset, CEO > www.anyroam.net > Operator of eduroam-US > +1 (865) 236-0770 > > On May 27, 2020, at 8:16 AM, Turner, Ryan H wrote: > > My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL > or anything else. Actually, that does bring a wrinkle into my previous > email. If PEAP and TLS both exist, I am going to guess there will be more > prompts or issues with a private CA (perhaps) > > Ryan Turner > Head of Networking, ITS > The University of North Carolina at Chapel Hill > +1 919 274 7926 Mobile > +1 919 445 0113 Office > > On May 26, 2020, at 8:21 PM, Hurt,Trenton W. > wrote: > > > I’m also doing unmanned eap peap (yes I know all the security reasons against > this) if I don’t use public signed ca will byod devices be able to connect > via eap peap with that private cert? > > Trent Hurt > > University of Louisville > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > on behalf of Turner, Ryan H > > Sent: Tuesday, May 26, 2020 8:10 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change > > > CAUTION: This email originated from outside of our organization. Do not click > links, open attachments, or respond unless you recognize the sender's email > address and know the contents are safe. > > You are likely totally hosed. In fact, you should consider abandoning public > CAs entirely when you re-do this. Through-out the years, I’ve counseled a > lot of schools about TLS deployments, and I cautioned strongly against using > public CAs for this exact reason. You have no control, and your CA can > totally hose you, as you can see. > > > > There is no way around this if the CA will not cooperate. You should talk > to your active directory folks. They should spin up a new offline private CA > root, then intermediary, then issue your RADIUS servers from the > intermediary. The expiration should be many years. > > > > OR, you can utilize SecureW2 and their online CA to generate RADIUS server > certificates. In any event, get off the public CAs. > > > > Ryan > > > > From: The EDUCAUSE Wireless Issues Community Group Listserv > On Behalf Of Hurt,Trenton W. > Sent: Tuesday, May 26, 2020 5:36 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] securew2 root ca radius server cert change > > > > I have both eap peap and eap tls setup and working. My radius server cert is > going to expire soon. I have received new one from public ca. It works fine > for eap peap clients. But for my existing eap tls clients they all fail auth > when I switch to this new updated rad cert. I see that my public ca has > issued this new cert using different root ca then my old one ()the one that > is install/config on my securew2 app in the cloud. Securew2 has told me that > users will have to onboard again once I change the cert on clearpass and > update the cloud app since public ca changed root ca on cert chain. I asked > my public ca if they could reissue using the other root ca so my eap tls > clients will still work once I do the change. They have told me that > shouldn’t need reissue as the old root ca (one tls clients currently use) > because my new cert root ca is cross signed by the old root ca. They told me > that I
RE: [WIRELESS-LAN] securew2 root ca radius server cert change
Delicate balance here unfortunately. Most operating systems only natively support SCEP for certificate enrollment which does not support EC. Also, FYI, if you’re using any form of supplicant configuration tool, including JoinNow, you can use an organizationally issued EAP server certificate instead of a public CA. Keep in mind that starting in September, Apple devices will only allow a lifetime of 1 year, so continuing to use a public cert where the risk of a chain change will become even more painful. tim Tim Cappalli | @timcappalli<https://www.twitter.com/timcappalli> [Microsoft logo] From: Philippe Hanset<mailto:005cd62f91b7-dmarc-requ...@listserv.educause.edu> Sent: Wednesday, May 27, 2020 14:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change Somewhat related to this thread, if you are planning to switch to EAP-TLS, please consider using ECC (Elliptic Curve Cryptography, small certs) Certificates. They make EAP-TLS much more compatible when authentications cross many network devices ( related MTU size issues), especially if you do not control those devices. We have had many failed authentications on eduroam with EAP-TLS (using 2048 bits certs) due to MTU mismatch on network devices across the entire federation. Best, Philippe Philippe Hanset, CEO www.anyroam.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.anyroam.net%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C09119d87af7447d49d5908d8026f4642%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637262024655152080=Ix7oJo8fQPJsAjrn9knja%2Byeh6sjudeXFOoO%2BltOSUQ%3D=0> Operator of eduroam-US +1 (865) 236-0770 On May 27, 2020, at 8:16 AM, Turner, Ryan H mailto:rhtur...@email.unc.edu>> wrote: My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the public CAs. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Hurt,Trenton W. Sent: Tuesday, May 26, 2020 5:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change I have both eap peap and eap tls setup and working. My radius server cert is going to expire soon. I have received new one from public ca. It works fine for eap peap clients. But for my existing eap tls clients they all fail auth when I switch to this new updated rad cert. I see that my public ca has issued this new cert using different root ca then my old one ()the one that is install/config on my securew2 app in the cloud. Securew2 has told me that users will have to onboard again once I change the cert on clearpass and update the cloud app since public ca changed root ca on cert chain. I asked my public ca if they could reissue using the other root ca so my eap tls clients will still work once I do the change. They hav
Re: [WIRELESS-LAN] securew2 root ca radius server cert change
Somewhat related to this thread, if you are planning to switch to EAP-TLS, please consider using ECC (Elliptic Curve Cryptography, small certs) Certificates. They make EAP-TLS much more compatible when authentications cross many network devices ( related MTU size issues), especially if you do not control those devices. We have had many failed authentications on eduroam with EAP-TLS (using 2048 bits certs) due to MTU mismatch on network devices across the entire federation. Best, Philippe Philippe Hanset, CEO www.anyroam.net Operator of eduroam-US +1 (865) 236-0770 > On May 27, 2020, at 8:16 AM, Turner, Ryan H wrote: > > My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL > or anything else. Actually, that does bring a wrinkle into my previous > email. If PEAP and TLS both exist, I am going to guess there will be more > prompts or issues with a private CA (perhaps) > > Ryan Turner > Head of Networking, ITS > The University of North Carolina at Chapel Hill > +1 919 274 7926 Mobile > +1 919 445 0113 Office > >> On May 26, 2020, at 8:21 PM, Hurt,Trenton W. >> wrote: >> >> >> I’m also doing unmanned eap peap (yes I know all the security reasons >> against this) if I don’t use public signed ca will byod devices be able to >> connect via eap peap with that private cert? >> >> Trent Hurt >> >> University of Louisville >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> on behalf of Turner, Ryan H >> >> Sent: Tuesday, May 26, 2020 8:10 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change >> >> CAUTION: This email originated from outside of our organization. Do not >> click links, open attachments, or respond unless you recognize the sender's >> email address and know the contents are safe. >> You are likely totally hosed. In fact, you should consider abandoning >> public CAs entirely when you re-do this. Through-out the years, I’ve >> counseled a lot of schools about TLS deployments, and I cautioned strongly >> against using public CAs for this exact reason. You have no control, and >> your CA can totally hose you, as you can see. >> >> There is no way around this if the CA will not cooperate. You should talk >> to your active directory folks. They should spin up a new offline private >> CA root, then intermediary, then issue your RADIUS servers from the >> intermediary. The expiration should be many years. >> >> OR, you can utilize SecureW2 and their online CA to generate RADIUS server >> certificates. In any event, get off the public CAs. >> >> Ryan >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> On Behalf Of Hurt,Trenton W. >> Sent: Tuesday, May 26, 2020 5:36 PM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change >> >> I have both eap peap and eap tls setup and working. My radius server cert >> is going to expire soon. I have received new one from public ca. It works >> fine for eap peap clients. But for my existing eap tls clients they all >> fail auth when I switch to this new updated rad cert. I see that my public >> ca has issued this new cert using different root ca then my old one ()the >> one that is install/config on my securew2 app in the cloud. Securew2 has >> told me that users will have to onboard again once I change the cert on >> clearpass and update the cloud app since public ca changed root ca on cert >> chain. I asked my public ca if they could reissue using the other root ca >> so my eap tls clients will still work once I do the change. They have told >> me that shouldn’t need reissue as the old root ca (one tls clients currently >> use) because my new cert root ca is cross signed by the old root ca. They >> told me that I should be able to use this new one but I still cant seem to >> get things working correctly. Anyone who is using securew2 had issues like >> this with root ca changing and clients forced to reonboard? Im not really >> pki person so if there is some way I could chain these or something. Just >> looking for way to update the rad cert on servers and not have to force all >> my onboard clients to have to go thru that process once I make the change. >> >> >> ** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste th
Re: [WIRELESS-LAN] securew2 root ca radius server cert change
For eduroam we use EAP-TTLS. For onboarding we use SecureW2's JoinNow. We create radius certs through InCommon (Sectigo now?). The 20 year CA root cert AddTrust expires May 30. The USERTrust RSA CA will be used going forward. Assuming no user interaction, MacOS, iOS and Windows should start to use the USERTrust CA to build the cert chain to validate the server cert. JoinNow has been installing both the AddTrust CA and USERTrust RSA CA on devices during onboard for the last couple of years, so if the OS vendor didn't install these certs then JoinNow did. For us, Androids are expected to see the greatest potential impact on May 31. This is because Android didn't (doesn't?) support two CA root certs. And until fairly recently they only supported SHA-1. So the AddTrust CA was used with dual intermediates. The good news is that Androids that receive regular carrier updates should now support SHA-2. That should be most if not all devices. Our latest JoinNow profile now installs the USERTrust RSA CA cert on Androids. This will allow them to build the cert chain to the radius cert. The problem is if users don't re-run JoinNow to get the new root CA they will fail validity checking when connecting to eduroam. This assumes the device was onboarded previously or otherwise *correctly* configured to use validate server cert. Our experience is that most users who DIY their Android eduroam config tend to not enable validate server cert. It will be interesting to see what percentage reruns JoinNow and who just "figures it out". Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu PGP: 0x16777D39 On 5/27/20 8:42 AM, Tim Cappalli wrote: > > It will be a mixed bag across operating systems and even OS versions. > There will not be a consistent user experience if the CA is not > trusted by the OS. > > > > * Tim Cappalli *| @timcappalli <https://www.twitter.com/timcappalli> > Microsoft logo > > > > *From: *Turner, Ryan H <mailto:rhtur...@email.unc.edu> > *Sent: *Wednesday, May 27, 2020 08:40 > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] securew2 root ca radius server cert change > > > > Good question. I do not know. I assume there are plenty of people on > this list with a lot more PEAP experience than me that can say. > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv > *On Behalf Of *Hurt,Trenton W. > *Sent:* Wednesday, May 27, 2020 8:20 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] securew2 root ca radius server cert change > > > > I was always told to use public signed for peap byod clients. Will > clients like windows/idevices prompt to trust a private signed cert? > Is it just the connect/accept like the behavior with public signed? > > > > Trent Hurt > > > > University of Louisville > > > > *From:*The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan > H mailto:rhtur...@email.unc.edu>> > *Sent:* Wednesday, May 27, 2020 8:16:24 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > *Subject:* Re: [WIRELESS-LAN] securew2 root ca radius server cert change > > > > *CAUTION:*This email originated from outside of our organization. Do > not click links, open attachments, or respond unless you recognize the > sender's email address and know the contents are safe. > > My guidance is for properly onboarded TLS devices. It doesn’t apply > to PEAL or anything else. Actually, that does bring a wrinkle into my > previous email. If PEAP and TLS both exist, I am going to guess there > will be more prompts or issues with a private CA (perhaps) > > Ryan Turner > > Head of Networking, ITS > > The University of North Carolina at Chapel Hill > > +1 919 274 7926 Mobile > > +1 919 445 0113 Office > > > > On May 26, 2020, at 8:21 PM, Hurt,Trenton W. > mailto:trent.h...@louisville.edu>> wrote: > > > > I’m also doing unmanned eap peap (yes I know all the security > reasons against this) if I don’t use public signed ca will byod > devices be able to connect via eap peap with that private cert? > > > > Trent Hurt > > > > University of Louisville > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, > Ryan H mailto:rhtur...@emai
RE: [WIRELESS-LAN] securew2 root ca radius server cert change
I was able to get things working. My new cert root ca was cross signed by the old existing root ca. I was able to chain these together and upload this as new rad server cert and both eap peap and my existing eap tls work with this chained cert. I will be exploring ways to get off this public cert and unmanaged peap. I don’t want to have to deal with this every 2 years. Thanks Trent From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Wednesday, May 27, 2020 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. It will be a mixed bag across operating systems and even OS versions. There will not be a consistent user experience if the CA is not trusted by the OS. Tim Cappalli | @timcappalli<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.twitter.com%2Ftimcappalli=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7Cf4615d5df1214c265c2908d80233%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261807459277095=rSBCA7sklLI8R8uOPNOaUyKcvRVYJb0QIW4X%2BYjzpDQ%3D=0> [Microsoft logo] From: Turner, Ryan H<mailto:rhtur...@email.unc.edu> Sent: Wednesday, May 27, 2020 08:40 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change Good question. I do not know. I assume there are plenty of people on this list with a lot more PEAP experience than me that can say. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Hurt,Trenton W. Sent: Wednesday, May 27, 2020 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change I was always told to use public signed for peap byod clients. Will clients like windows/idevices prompt to trust a private signed cert? Is it just the connect/accept like the behavior with public signed? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Wednesday, May 27, 2020 8:16:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the publ
RE: [WIRELESS-LAN] securew2 root ca radius server cert change
It will be a mixed bag across operating systems and even OS versions. There will not be a consistent user experience if the CA is not trusted by the OS. Tim Cappalli | @timcappalli<https://www.twitter.com/timcappalli> [Microsoft logo] From: Turner, Ryan H<mailto:rhtur...@email.unc.edu> Sent: Wednesday, May 27, 2020 08:40 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change Good question. I do not know. I assume there are plenty of people on this list with a lot more PEAP experience than me that can say. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hurt,Trenton W. Sent: Wednesday, May 27, 2020 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change I was always told to use public signed for peap byod clients. Will clients like windows/idevices prompt to trust a private signed cert? Is it just the connect/accept like the behavior with public signed? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Wednesday, May 27, 2020 8:16:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the public CAs. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Hurt,Trenton W. Sent: Tuesday, May 26, 2020 5:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change I have both eap peap and eap tls setup and working. My radius server cert is going to expire soon. I have received new one from public ca. It works fine for eap peap clients. But for my existing eap tls clients they all fail auth when I switch to this new updated rad cert. I see that my public ca has issued this new cert using different root ca then my old one ()the one that is install/config on my securew2 app in the cloud. Securew2 has told me that users will have to onboard again once I change the cert on clearpass and update the cloud app since public ca changed root ca on cert chain. I asked my public ca if they could reissue using the other root ca so my eap tls clients will still work once I do the change. They have told me that shouldn’t need reissue as the old root ca (one tls clients currently us
RE: [WIRELESS-LAN] securew2 root ca radius server cert change
Good question. I do not know. I assume there are plenty of people on this list with a lot more PEAP experience than me that can say. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hurt,Trenton W. Sent: Wednesday, May 27, 2020 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change I was always told to use public signed for peap byod clients. Will clients like windows/idevices prompt to trust a private signed cert? Is it just the connect/accept like the behavior with public signed? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Wednesday, May 27, 2020 8:16:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. mailto:trent.h...@louisville.edu>> wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Turner, Ryan H mailto:rhtur...@email.unc.edu>> Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the public CAs. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Hurt,Trenton W. Sent: Tuesday, May 26, 2020 5:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change I have both eap peap and eap tls setup and working. My radius server cert is going to expire soon. I have received new one from public ca. It works fine for eap peap clients. But for my existing eap tls clients they all fail auth when I switch to this new updated rad cert. I see that my public ca has issued this new cert using different root ca then my old one ()the one that is install/config on my securew2 app in the cloud. Securew2 has told me that users will have to onboard again once I change the cert on clearpass and update the cloud app since public ca changed root ca on cert chain. I asked my public ca if they could reissue using the other root ca so my eap tls clients will still work once I do the change. They have told me that shouldn’t need reissue as the old root ca (one tls clients currently use) because my new cert root ca is cross signed by the old root ca. They told me that I should be able to use this new one but I still cant seem to get things working correctly. Anyone who is using securew2 had issues like this with root ca changing and clients forced to reonboard? Im not really pki person so if there is some way I could chain these or something. Just looking for way to update the rad cert on servers and
Re: [WIRELESS-LAN] securew2 root ca radius server cert change
I was always told to use public signed for peap byod clients. Will clients like windows/idevices prompt to trust a private signed cert? Is it just the connect/accept like the behavior with public signed? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Wednesday, May 27, 2020 8:16:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the public CAs. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hurt,Trenton W. Sent: Tuesday, May 26, 2020 5:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] securew2 root ca radius server cert change I have both eap peap and eap tls setup and working. My radius server cert is going to expire soon. I have received new one from public ca. It works fine for eap peap clients. But for my existing eap tls clients they all fail auth when I switch to this new updated rad cert. I see that my public ca has issued this new cert using different root ca then my old one ()the one that is install/config on my securew2 app in the cloud. Securew2 has told me that users will have to onboard again once I change the cert on clearpass and update the cloud app since public ca changed root ca on cert chain. I asked my public ca if they could reissue using the other root ca so my eap tls clients will still work once I do the change. They have told me that shouldn’t need reissue as the old root ca (one tls clients currently use) because my new cert root ca is cross signed by the old root ca. They told me that I should be able to use this new one but I still cant seem to get things working correctly. Anyone who is using securew2 had issues like this with root ca changing and clients forced to reonboard? Im not really pki person so if there is some way I could chain these or something. Just looking for way to update the rad cert on servers and not have to force all my onboard clients to have to go thru that process once I make the change. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C9afb41f73cdc43c76b6808d80237c7cc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261785885568060=UO%2BiKHVQJ3rT1ARTy1t4K5rKjKw9Mck%2B4GCvlWiJZhQ%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to repl
Re: [WIRELESS-LAN] securew2 root ca radius server cert change
My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL or anything else. Actually, that does bring a wrinkle into my previous email. If PEAP and TLS both exist, I am going to guess there will be more prompts or issues with a private CA (perhaps) Ryan Turner Head of Networking, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office On May 26, 2020, at 8:21 PM, Hurt,Trenton W. wrote: I’m also doing unmanned eap peap (yes I know all the security reasons against this) if I don’t use public signed ca will byod devices be able to connect via eap peap with that private cert? Trent Hurt University of Louisville From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Turner, Ryan H Sent: Tuesday, May 26, 2020 8:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. You are likely totally hosed. In fact, you should consider abandoning public CAs entirely when you re-do this. Through-out the years, I’ve counseled a lot of schools about TLS deployments, and I cautioned strongly against using public CAs for this exact reason. You have no control, and your CA can totally hose you, as you can see. There is no way around this if the CA will not cooperate. You should talk to your active directory folks. They should spin up a new offline private CA root, then intermediary, then issue your RADIUS servers from the intermediary. The expiration should be many years. OR, you can utilize SecureW2 and their online CA to generate RADIUS server certificates. In any event, get off the public CAs. Ryan From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Hurt,Trenton W. Sent: Tuesday, May 26, 2020 5:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] securew2 root ca radius server cert change I have both eap peap and eap tls setup and working. My radius server cert is going to expire soon. I have received new one from public ca. It works fine for eap peap clients. But for my existing eap tls clients they all fail auth when I switch to this new updated rad cert. I see that my public ca has issued this new cert using different root ca then my old one ()the one that is install/config on my securew2 app in the cloud. Securew2 has told me that users will have to onboard again once I change the cert on clearpass and update the cloud app since public ca changed root ca on cert chain. I asked my public ca if they could reissue using the other root ca so my eap tls clients will still work once I do the change. They have told me that shouldn’t need reissue as the old root ca (one tls clients currently use) because my new cert root ca is cross signed by the old root ca. They told me that I should be able to use this new one but I still cant seem to get things working correctly. Anyone who is using securew2 had issues like this with root ca changing and clients forced to reonboard? Im not really pki person so if there is some way I could chain these or something. Just looking for way to update the rad cert on servers and not have to force all my onboard clients to have to go thru that process once I make the change. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068304127=1XDQ8k1JY6Ltpvn2dUM0utxTHniGgqCDJQE959Fe%2BoE%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068314124=SAMZl%2FrGh3O6eNbPriBnyBn7O%2BQz6nq5HpEQBQU7wuY%3D=0> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional p