We currently use Option 3, but the clients only trust the certificate CHAIN,
not the server certificate itself. This lets us replace the server certificate
providing the chain remains the same. This worked fine for us for several years
with a 1 year server certificate. Unfortunately, we have
Dear All
Good morning. All of our IOS users start having authentication problem after
they upgrading to IOS 11. The devices keep asking the user name and password.
The only way we can fix for now is that “forget” the old profile, and manually
create a new one, after trusting the certificate,
Has anyone implemented this workaround and heard any negative feedback
regarding wireless quality? It seems changing the retries down to 0 would
result in more dropped sessions and the appearance of a flakier network and
possibly triggering more client exclusions?
Chris Toth
Senior Network
We use SecureW2 JoinNow and the actually recommend option 2. Still the
security vs. simplicity for users.
We are using option 3 and the last change in certificate we had overall
went pretty well. We did try hard to get some media out there to notify
users as well as worked with the help desk
We are seeing the same issue here on our Cisco deployment. I've been telling
users to reboot or forget it and reconnect unfortunately. After this they've
been good, but I see your point with several certs.
Jason
From: The EDUCAUSE Wireless Issues
Just curious. Why aren't you using the same EAP server certificate across all
of your RADIUS servers?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Linchuan Yang
Reply-To: The EDUCAUSE Wireless
Hi Craig,
I'm not sure if anyone from Cloudpath already advised you, but I did forward
your question to Kevin Koster, Cloudpath Founder and Chief Architect, for his
opinion of the pros/cons of these options. I thought I would share them, in
case this forum found it useful.
Best,
Rich
The maximum for a public certificate is changing on 1 March 2018 to 27
months, with suggestions that it might drop down to 13 months later on:
https://www.digicert.com/shortening-validity-periods-for-ov-dv-certificates/