date:20170206

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Cappalli, Tim (Aruba)

You’re right. I should have clarified and said a SAN/multi-domain certificate.

Nearly all certs now come with the CN as a SAN.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Monday, February 6, 2017 14:19
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Are you sure you have no SAN? In my experience, it is almost impossible to get 
a cert issued by one of the big issuers that has zero SANs. If you request a 
single domain cert, you get a cert with one SAN, which is the same as the 
domain you requested. (There is also, of course, a CN containing that domain.) 
To see an example of this, you can look at https://sso.uah.edu/ - we have a 
single-domain cert here, and then one SAN that is the same as the CN: 
http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this SAN 
to be there, but we had somehow gotten a cert issued without that SAN present, 
and this was not acceptable. (I wish I remembered which Windows version.)

I think this is only likely to trip people up if they ask for a cert with CN 
"domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one 
with that implicit "domain0" SAN, and that's what Windows balked at. But of 
course that doesn't affect people who are requesting single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) 
> wrote:

   We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.

   I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.

   Bruce Osborne

   Senior Network Engineer

   Network Operations - Wireless

(434) 592-4229

   LIBERTY UNIVERSITY

   Training Champions for Christ since 1971

   From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
   Sent: Friday, February 3, 2017 4:46 PM
   Subject: Re: wild card certs and PEAP

   For an EAP server certficiate, you do not need SANs for every server. You 
can do something generic like 
“network-login.domain.edu” and put that cert 
on every box.

   The SANs will never be referenced and will just add significant cost.

   From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
   Sent: Friday, February 3, 2017 16:38
   To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
   Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

   Yes. Ours is a cert with CN eduroam.uah.edu and SANs 
eduroam.uah.edu, acs01.uah.edu, 
acs02.uah.edu, etc... All servers present the same cert.

   On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
> wrote:

  Our identity management group runs our Microsoft NPS servers and I recall 
them calling it a multi-domain certificate.  So 
NPS1.nd.edu, NPS2.nd.edu, 
NPS3.dn.edu…. and so on all present common name as 
NPS1.nd.edu.   This keeps your client from having to trust 
each NPS server.

  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Brian Helman

  Sent: Friday, February 03, 2017 3:32 PM
  To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

  Subject: [WIRELESS-LAN] wild card certs and PEAP

  I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

  The easier question is – will a wildcard cert work here?

  The tougher question is – if yes, um .. any good references to configure 
it with S2012R2?

  -Brian

  ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

  ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   --

   --
   Hunter Fuller
   Network Engineer

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Hunter Fuller

Are you sure you have no SAN? In my experience, it is almost impossible to
get a cert issued by one of the big issuers that has zero SANs. If you
request a single domain cert, you get a cert with one SAN, which is the
same as the domain you requested. (There is also, of course, a CN
containing that domain.) To see an example of this, you can look at
https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN
that is the same as the CN: http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this
SAN to be there, but we had somehow gotten a cert issued without that SAN
present, and this was not acceptable. (I wish I remembered which Windows
version.)

I think this is only likely to trip people up if they ask for a cert with
CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not
provide one with that implicit "domain0" SAN, and that's what Windows
balked at. But of course that doesn't affect people who are requesting
single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> We use SANs on our RADIUS certificate so we can use the same certificate
> for https on those servers.
>
> I agree with Tim, though. SANs are not needed and we have run our RADIUS
> certificate for several years on multiple servers without any SANs.
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>
>
>  *(434) 592-4229*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
> *Sent:* Friday, February 3, 2017 4:46 PM
> *Subject:* Re: wild card certs and PEAP
>
>
>
> For an EAP server certficiate, you do not need SANs for every server. You
> can do something generic like “network-login.domain.edu” and put that
> cert on every box.
>
>
>
> The SANs will never be referenced and will just add significant cost.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, February 3, 2017 16:38
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
>
>
>
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins  wrote:
>
> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --
>
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Jake Snyder

To reiterate, SANs are not needed on some platforms.  Please consult your 
documentation.

Sent from my iPhone

> On Feb 6, 2017, at 6:00 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> We use SANs on our RADIUS certificate so we can use the same certificate for 
> https on those servers.
> I agree with Tim, though. SANs are not needed and we have run our RADIUS 
> certificate for several years on multiple servers without any SANs.
>  
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] 
> Sent: Friday, February 3, 2017 4:46 PM
> Subject: Re: wild card certs and PEAP
>  
> For an EAP server certficiate, you do not need SANs for every server. You can 
> do something generic like “network-login.domain.edu” and put that cert on 
> every box.
>  
> The SANs will never be referenced and will just add significant cost.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Friday, February 3, 2017 16:38
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP
>  
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, 
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. 
>  
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins  wrote:
> Our identity management group runs our Microsoft NPS servers and I recall 
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu, 
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This keeps 
> your client from having to trust each NPS server.
>  
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Friday, February 03, 2017 3:32 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> --
> 
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Brian Helman

Thanks everyone.  I was trying to avoid purchasing a cert for our test server, 
but it looks like I’ll have to do that.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Friday, February 03, 2017 4:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

There is a good blog by Aaron Woland on this.  If memory serves, wildcard in CN 
isn't feasible, but windows clients will tolerate a wildcard in the SAN field.

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

Likely it's still only practical when doing it via an internal CA. I don't 
think many public CAs will let you do SAN wildcards.

Sent from my iPhone

On Feb 3, 2017, at 1:51 PM, Frans Panken 
> wrote:
Hi Brian,
Wild card certificates should indeed be avoided as Windows clients cannot cope 
with them. This will occur on every RADIUS server and has nothing to do with 
NPS (or with eduroam).
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Brian Helman 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Friday, 3 February 2017 at 21:32
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: wild card certs and PEAP

2017-02-06 Thread Osborne, Bruce W (Network Operations)

We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.
I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
Sent: Friday, February 3, 2017 4:46 PM
Subject: Re: wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like “network-login.domain.edu” and put that cert on every 
box.

The SANs will never be referenced and will just add significant cost.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu and SANs 
eduroam.uah.edu, acs01.uah.edu, 
acs02.uah.edu, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
> wrote:
Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu, 
NPS2.nd.edu, NPS3.dn.edu…. and so on 
all present common name as NPS1.nd.edu.   This keeps your 
client from having to trust each NPS server.







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

RE: wild card certs and PEAP

5 matches

Site Navigation

Mail list logo

Footer information