RE: wild card certs and PEAP

2017-02-07 Thread Osborne, Bruce W (Network Operations) 
Now that you mention it, even for a single server, our provider is now 
requiring a SAN.
That is a provider requirement and not technically needed for RADIUS or any 
single server certificate.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hunter Fuller [mailto:hf0...@uah.edu]
Sent: Monday, February 6, 2017 2:19 PM
Subject: Re: wild card certs and PEAP

Are you sure you have no SAN? In my experience, it is almost impossible to get 
a cert issued by one of the big issuers that has zero SANs. If you request a 
single domain cert, you get a cert with one SAN, which is the same as the 
domain you requested. (There is also, of course, a CN containing that domain.) 
To see an example of this, you can look at https://sso.uah.edu/ - we have a 
single-domain cert here, and then one SAN that is the same as the CN: 
http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this SAN 
to be there, but we had somehow gotten a cert issued without that SAN present, 
and this was not acceptable. (I wish I remembered which Windows version.)

I think this is only likely to trip people up if they ask for a cert with CN 
"domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one 
with that implicit "domain0" SAN, and that's what Windows balked at. But of 
course that doesn't affect people who are requesting single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.
I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com<mailto:t...@hpe.com>]
Sent: Friday, February 3, 2017 4:46 PM
Subject: Re: wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like 
“network-login.domain.edu<http://network-login.domain.edu>” and put that cert 
on every box.

The SANs will never be referenced and will just add significant cost.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:
Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu<http://NPS1.nd.edu>, 
NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on 
all present common name as NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your 
client from having to trust each NPS server.







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Full

RE: wild card certs and PEAP

2017-02-06 Thread Osborne, Bruce W (Network Operations) 
We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.
I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
Sent: Friday, February 3, 2017 4:46 PM
Subject: Re: wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like “network-login.domain.edu” and put that cert on every 
box.

The SANs will never be referenced and will just add significant cost.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:
Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu<http://NPS1.nd.edu>, 
NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on 
all present common name as NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your 
client from having to trust each NPS server.







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: wild card certs and PEAP

2017-02-03 Thread Rick DeCaro 
We could never get a wildcard cert to work with our 2012 NPS.   Some devices 
didn't even like the Go Daddy cert we tried to use.   Ended up having to use a 
Thawte cert with the FQDN of the NPS server as the common name.

Rick DeCaro
(636)230-1911
rick.dec...@logan.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 2:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] wild card certs and PEAP

I'm setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don't think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn't appear to have an issue with 
it, but Win7 and Win10 don't care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is - will a wildcard cert work here?
The tougher question is - if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.