Re: securew2 root ca radius server cert change

[Hurt,Trenton W.]

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Tuesday, May 26, 2020 8:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: securew2 root ca radius server cert change

[Turner, Ryan H]

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I've counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn't need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [External] [WIRELESS-LAN] securew2 and all the devices that don't support it.

[Norton, Thomas (Network Operations)]

Hi there,

We utilize securew2 for onboarding inline with clearpass as our NAC, and will 
soon integrate securew2 as our primary CA for EAP-TLS across campus.
For all other devices that don’t support 802.1x, we utilize Mac auth and a 
custom portal we built in house using the clearpass guest api for device 
registration that integrates with the cppm guest database. We’re actually 
building upon it to add operator logins for departmental device management. 
Feel free to reach out direct, we’re very happy with both products.

Get Outlook for iOS

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Klingaman, Ryan 

Sent: Tuesday, May 26, 2020 6:15:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [External] [WIRELESS-LAN] securew2 and all the devices that don't 
support it.



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


I have been a long time user of Ruckus and Cloudpath and have been looking into 
Aruba and Clearpass lately. I see from this list that there are a few colleges 
that use securew2 in place of something like Clearpass or Cloudpath.

My question is for those that use it, what is your solution for the gaming 
consoles, media players, virtual assistants, etc.?

Do you only support hardwired on those devices (if they support that option)?

Do you have a custom solution tied into the API of the wireless Vendor?

Do you use two solutions such as Clearpass and Securew2?

Thanks,

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] securew2 and all the devices that don't support it.

[Curtis K. Larsen]

We use Cloudpath, and ISE.  For the non WPA2-Enterprise devices, or even some 
that are unusually painful to setup - we send them to Cloudpath to register the 
MAC address, then Cloudpath sends an API call with the MAC, user account, and a 
dynamically generated PSK to an interim Linux box which sends it to ISE.  The 
interim Linux box is only there because Cloudpath originally did not accept API 
calls back from ISE (maybe it does now?) confirming the device had been 
registered, and because we found no direct way to generate iPSKs in ISE.

We then have the Cisco WLC configured for i-PSK against ISE for the non 
WPA2-Enterprise WLAN.  There is also an i-PSK Manager out there that I intend 
to play with at some point:  
https://community.cisco.com/t5/security-documents/ipsk-identity-pre-shared-key-manager-portal-server-for-ise/ta-p/3904265

Good luck.


Thanks,

Curtis
[https://kxiwq67737.i.lithium.com/t5/image/serverpage/image-id/47654iB50DFA4030D5D0F9?v=1.0]
iPSK (Identity Pre-Shared-Key) Manager ... - Cisco 
Community
Introduction PSK (Pre-Shared-Key) WLAN is widely used for consumer & enterprise 
IoT onboarding as most of IoT device doesn’t support 802.1X. While PSK WLAN 
provides easy way to onboard IoT, it also introduces challenge as it doesn’t 
provide security that many enterprise requires due to limitation o...
community.cisco.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Klingaman, Ryan 

Sent: Tuesday, May 26, 2020 4:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] securew2 and all the devices that don't support it.

I have been a long time user of Ruckus and Cloudpath and have been looking into 
Aruba and Clearpass lately. I see from this list that there are a few colleges 
that use securew2 in place of something like Clearpass or Cloudpath.

My question is for those that use it, what is your solution for the gaming 
consoles, media players, virtual assistants, etc.?

Do you only support hardwired on those devices (if they support that option)?

Do you have a custom solution tied into the API of the wireless Vendor?

Do you use two solutions such as Clearpass and Securew2?

Thanks,

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

securew2 and all the devices that don't support it.

[Klingaman, Ryan]

I have been a long time user of Ruckus and Cloudpath and have been looking
into Aruba and Clearpass lately. I see from this list that there are a few
colleges that use securew2 in place of something like Clearpass or
Cloudpath.

My question is for those that use it, what is your solution for the gaming
consoles, media players, virtual assistants, etc.?

Do you only support hardwired on those devices (if they support that
option)?

Do you have a custom solution tied into the API of the wireless Vendor?

Do you use two solutions such as Clearpass and Securew2?

Thanks,

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

securew2 root ca radius server cert change

[Hurt,Trenton W.]

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn't need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community