RE: Ekahau Update

Excellent work. Thanks Everyone -- Jason Cook Information Technology and Digital Services The University of Adelaide, AUSTRALIA 5005 --- This email message is intended only for the addressee(s) and contains information which may be

RE: Ekahau Update

Ian, Thank you for putting this together. Let's hope Ekahau is truly receptive and they are able to come with alternatives that benefit all of us. Hector Rios UT Austin From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Ian Lyons Sent: Monday, August 9, 2021 12:50 PM

Ekahau Update

Good Day Everyone! Eric and I were happy to host a meeting with many of you about Ekahau last Friday. We had a peak of 28 folks and an average of 18! Thank you for coming! The meeting started with introductions and that lasted about the first 20 min or so. Steve (VP Global Sales) and Stewart

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA's have done nothing is fifteen plus years, so from a risk management perspective, the chance of them changing course now is rather low. As to future RFCs, even if that happened tomorrow, it could be a decade or more before there was broad support, and more importantly, we could think about

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. There have been many discussions about this on this list and others, and a future RFC will likely include further clarity. However, as I've said in the past, RFCs do not dictate CA/B policies. If we're going to

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Per the RFC, the certificate-using application _MAY_ require the EAP extended key usage extension to be present. It is not a must or shall, so I’m not exactly sure the problem here. Vendors have chosen against requirement. The certificate-using application appears to be satisfied by the server

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it... https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have the cycles to maintain over time. (And I've found over the years that most people don't follow best practices anyway.) tim From: The EDUCAUSE Wireless Issues Community Group Listserv

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Tim - Didn't you write up an explanation for all these issues? You were going to be able to point to that page since these issues resurface so often. Doug From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Tim Cappalli

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

This is largely a workaround/hack due to the continued deployment of EAP server certificates issued from public CAs in the wild. Issuing certificates from your own PKI with the web server auth EKU is perfectly acceptable and should also include the EAP EKU. Unfortunately there can't really be

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

No current operating systems enforce EAP EKU at the moment. If it were suddenly enforced, the majority of EAP networks would break. Whether right or wrong (it's wrong), that is just how the majority of networks are currently deployed. From: The EDUCAUSE Wireless Issues Community Group Listserv

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Anyone have a book or reading recommendations on this topic? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Elton, Norman N Sent: Monday, August 9, 2021 6:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I’m curious about this and would like to know more. Many operating systems require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a requirement for EAP. Last I looked, public CA’s include this when minting a so called web server cert. Jeff From: The EDUCAUSE Wireless

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

That’s the stuff. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu w its.syr.edu Campus Wireless Policy:

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I didn’t say how long  399 days is long in today’s terms From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Lee H Badman Sent: Monday, August 9, 2021 8:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

“The validity period is very long.” Now you did it, Thomas. You realize you’re about to get scolded…. ☺ Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We are currently using Clearpass onboard & moving to SecureW2. We previously used Incommon for server CA and are much happier with using a private CA for the server certificate. The validity period is very long. I would

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

On Aug 9, 2021, at 07:56, Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote: Lets not go down this rabbit hole again. I thought there was a picture of a rabbit and a hole in the dictionary next to “mailing

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Back to the original question. If you are talking about the EAP certificates, I would caution against using an EAP certificate with two separate roots. You are asking for trouble. At the very best, your clients will get certificate errors and warnings. At worst, you will have clients that will

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Lets not go down this rabbit hole again. I was directly answering the question. If you choose to use certificates that violate CA policies and risk revocation, and ask users to configure their own supplicants, putting their credentials at high risk, that is your decision. Tim

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Which is great and I agree with but Android went and made it really hard to onboard a private CA and so now people are going back to public certs for EAP to lower their support burden. Sent from my Galaxy Original message From: Tim Cappalli

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others like code signing and S/MIME). An EAP server is not a web server and has a designated usage assigned (which public CAs will not issue). EAP also does not follow traditional PKIX validation models due to the way the

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

>> Technically, you're not even supposed to use the certificates issued from a >> public CA for EAP as it's a violation of multiple policies. I’m curious what those are. I thought it was fairly standard practice to use publicly-signed certificates on the server side, with privately-signed

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the best practice. Technically, you're not even supposed to use the certificates issued from a public CA for EAP as it's a violation of multiple policies. Tim From: The EDUCAUSE Wireless

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

To piggyback on Jonathan’s question … he mentions moving the server-side certificates to a private CA. Is this common? We’re using SecureW2 to configure an EAP-TLS deployment, so it should be trivial to configure the client to trust our private CA. We currently configure clients to trust

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. Use the same cert across all nodes (in this case take the other cert with the longest expiry and upload it to all the nodes in the CPPM cluster) From: The EDUCAUSE Wireless Issues

eduroam CAT Config/Cert Renewal with New Root

We are currently using publicly signed certificates for our eduroam access on a cluster of 2 ClearPass servers. We are in a situation where one of our certs will be expiring in October of this year, while the other is good until June of next year. The certificate are issued through InCommon, and