Re: [External] Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Hunter Fuller]

TL;DR: Everything Ryan said applies to PEAP too.

We have extensive experience on the PEAP front. We used to run an
InCommon certificate, and devices prompted to verify. (Windows, Macs,
and iPhones use a different store to verify 802.1X certs, so no cert
chain is trusted out of the box - there is no cert you could provide
to make them happy.) So we migrated to a long-validity private CA that
our CISO manipulates using openssl(1), and we distribute the CA using
eduroam CAT. All is well in the world.

--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

On Wed, May 27, 2020 at 1:53 PM Philippe Hanset
<005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
>
> Somewhat related to this thread, if you are planning to switch to EAP-TLS, 
> please consider using ECC (Elliptic Curve Cryptography, small certs) 
> Certificates.
> They make EAP-TLS much more compatible when authentications cross many 
> network devices ( related MTU size issues), especially if you do not control 
> those devices.
> We have had many failed authentications on eduroam with EAP-TLS (using 2048 
> bits certs) due to MTU mismatch on network devices across the entire 
> federation.
>
> Best,
>
> Philippe
>
> Philippe Hanset, CEO
> www.anyroam.net
> Operator of eduroam-US
> +1 (865) 236-0770
>
> On May 27, 2020, at 8:16 AM, Turner, Ryan H  wrote:
>
> My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
> or anything else.  Actually, that does bring a wrinkle into my previous 
> email.  If PEAP and TLS both exist, I am going to guess there will be more 
> prompts or issues with a private CA (perhaps)
>
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
>
> On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  
> wrote:
>
> 
> I’m also doing unmanned eap peap (yes I know all the security reasons against 
> this)  if I don’t use public signed ca will byod devices be able to connect 
> via eap peap with that private cert?
>
> Trent Hurt
>
> University of Louisville
>
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Turner, Ryan H 
> 
> Sent: Tuesday, May 26, 2020 8:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>
> CAUTION: This email originated from outside of our organization. Do not click 
> links, open attachments, or respond unless you recognize the sender's email 
> address and know the contents are safe.
>
> You are likely totally hosed.  In fact, you should consider abandoning public 
> CAs entirely when you re-do this.   Through-out the years, I’ve counseled a 
> lot of schools about TLS deployments, and I cautioned strongly against using 
> public CAs for this exact reason.  You have no control, and your CA can 
> totally hose you, as you can see.
>
>
>
> There is no way around this if the CA will not cooperate.   You should talk 
> to your active directory folks.  They should spin up a new offline private CA 
> root, then intermediary, then issue your RADIUS servers from the 
> intermediary.  The expiration should be many years.
>
>
>
> OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
> certificates.  In any event, get off the public CAs.
>
>
>
> Ryan
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  On Behalf Of Hurt,Trenton W.
> Sent: Tuesday, May 26, 2020 5:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>
>
> I have both eap peap and eap tls setup and working.  My radius server cert is 
> going to expire soon.  I have received new one from public ca.  It works fine 
> for eap peap clients.  But for my existing eap tls clients they all fail auth 
> when I switch to this new updated rad cert.  I see that my public ca has 
> issued this new cert using different root ca then my old one ()the one that 
> is install/config on my securew2 app in the cloud.  Securew2 has told me that 
> users will have to onboard again once I change the cert on clearpass and 
> update the cloud app since public ca changed root ca on cert chain.  I asked 
> my public ca if they could reissue using the other root ca so my eap tls 
> clients will still work once I do the change.  They have told me that 
> shouldn’t need reissue as the old root ca (one tls clients currently use) 
> because my new cert root ca is cross signed by the old root ca.  They told me 
> that I should be able to use this new one but I still cant seem to get things 
> working correctly.  Anyone who is using securew2 had issues like this with 
> root ca changing and clients forced to reonboard?  Im not really pki person 
> so if there is some way I could  chain these or something.  Just looking for 
> way to 

RE: [WIRELESS-LAN] securew2 root ca radius server cert change

[Tim Cappalli]

Delicate balance here unfortunately. Most operating systems only natively 
support SCEP for certificate enrollment which does not support EC.

Also, FYI, if you’re using any form of supplicant configuration tool, including 
JoinNow, you can use an organizationally issued EAP server certificate instead 
of a public CA.

Keep in mind that starting in September, Apple devices will only allow a 
lifetime of 1 year, so continuing to use a public cert where the risk of a 
chain change will become even more painful.

tim


 Tim Cappalli |  @timcappalli
[Microsoft logo]

From: Philippe 
Hanset
Sent: Wednesday, May 27, 2020 14:54
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

Somewhat related to this thread, if you are planning to switch to EAP-TLS, 
please consider using ECC (Elliptic Curve Cryptography, small certs) 
Certificates.
They make EAP-TLS much more compatible when authentications cross many network 
devices ( related MTU size issues), especially if you do not control those 
devices.
We have had many failed authentications on eduroam with EAP-TLS (using 2048 
bits certs) due to MTU mismatch on network devices across the entire federation.

Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770


On May 27, 2020, at 8:16 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On May 26, 2020, at 8:21 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Tuesday, May 26, 2020 8:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls 

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Philippe Hanset]

Somewhat related to this thread, if you are planning to switch to EAP-TLS, 
please consider using ECC (Elliptic Curve Cryptography, small certs) 
Certificates.
They make EAP-TLS much more compatible when authentications cross many network 
devices ( related MTU size issues), especially if you do not control those 
devices.
We have had many failed authentications on eduroam with EAP-TLS (using 2048 
bits certs) due to MTU mismatch on network devices across the entire federation.

Best,

Philippe

Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770

> On May 27, 2020, at 8:16 AM, Turner, Ryan H  wrote:
> 
> My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
> or anything else.  Actually, that does bring a wrinkle into my previous 
> email.  If PEAP and TLS both exist, I am going to guess there will be more 
> prompts or issues with a private CA (perhaps) 
> 
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
> 
>> On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  
>> wrote:
>> 
>> 
>> I’m also doing unmanned eap peap (yes I know all the security reasons 
>> against this)  if I don’t use public signed ca will byod devices be able to 
>> connect via eap peap with that private cert? 
>> 
>> Trent Hurt
>> 
>> University of Louisville
>> 
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  on behalf of Turner, Ryan H 
>> 
>> Sent: Tuesday, May 26, 2020 8:10 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>>  
>> CAUTION: This email originated from outside of our organization. Do not 
>> click links, open attachments, or respond unless you recognize the sender's 
>> email address and know the contents are safe.
>> You are likely totally hosed.  In fact, you should consider abandoning 
>> public CAs entirely when you re-do this.   Through-out the years, I’ve 
>> counseled a lot of schools about TLS deployments, and I cautioned strongly 
>> against using public CAs for this exact reason.  You have no control, and 
>> your CA can totally hose you, as you can see.
>>  
>> There is no way around this if the CA will not cooperate.   You should talk 
>> to your active directory folks.  They should spin up a new offline private 
>> CA root, then intermediary, then issue your RADIUS servers from the 
>> intermediary.  The  expiration should be many years.
>>  
>> OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
>> certificates.  In any event, get off the public CAs.
>>  
>> Ryan
>>  
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Hurt,Trenton W.
>> Sent: Tuesday, May 26, 2020 5:36 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change
>>  
>> I have both eap peap and eap tls setup and working.  My radius server cert 
>> is going to expire soon.  I have received new one from public ca.  It works 
>> fine for eap peap clients.  But for my existing eap tls clients they all 
>> fail auth when I switch to this new updated rad cert.  I see that my public 
>> ca has issued this new cert using different root ca then my old one ()the 
>> one that is install/config on my securew2 app in the cloud.  Securew2 has 
>> told me that users will have to onboard again once I change the cert on 
>> clearpass and update the cloud app since public ca changed root ca on cert 
>> chain.  I asked my public ca if they could reissue using the other root ca 
>> so my eap tls clients will still work once I do the change.  They have told 
>> me that shouldn’t need reissue as the old root ca (one tls clients currently 
>> use) because my new cert root ca is cross signed by the old root ca.  They 
>> told me that I should be able to use this new one but I still cant seem to 
>> get things working correctly.  Anyone who is using securew2 had issues like 
>> this with root ca changing and clients forced to reonboard?  Im not really 
>> pki person so if there is some way I could  chain these or something.  Just 
>> looking for way to update the rad cert on servers and not have to force all 
>> my onboard clients to have to go thru that process once I make the change.
>>  
>>  
>> **
>> Replies to EDUCAUSE Community Group emails are sent to the entire community 
>> list. If you want to reply only to the person who sent the message, copy and 
>> paste their email address and forward the email reply. Additional 
>> participation and subscription information can be found at 
>> https://www.educause.edu/community 
>> 
>> **

Re: [WIRELESS-LAN] Cisco pre-DNA Spaces Location Service, Contact Tracing

[Julian Y Koh]

On May 27, 2020, at 12:30, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:

My question is specifically for Cisco legacy location services users. Are you 
all doing anything specific in anticipation of possibly needing to provide 
Wi-Fi location data for contact tracing? Are you being specifically asked about 
it by your management?

We had a bit of a discussion about this on the monthly CommTech EDUCAUSE call 
today.  No one has specifically asked us to provide this data yet, but the 
general approach we’re taking is that Wi-Fi data does not provide the 
necessarily granularity to do true contact tracing, and any data we provide 
will only be applicable to our campus.  So Wi-Fi data can be useful as a 
secondary/tertiary support to true contact tracing (ie, person X has been 
diagnosed with COVID-19 and is working to retrace movements over the past 14 
days) and campus preparations (based on historical and/or real-time present 
data, here are the areas where we expect to have the highest densities of 
people, so let’s direct efforts with respect to more frequent cleaning, 
signage, line/queue management, etc in those areas).

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Michael Dickson]

For eduroam we use EAP-TTLS. For onboarding we use SecureW2's JoinNow.
We create radius certs through InCommon (Sectigo now?). The 20 year CA
root cert AddTrust expires May 30. The USERTrust RSA CA will be used
going forward. 

Assuming no user interaction, MacOS, iOS and Windows should start to use
the USERTrust CA to build the cert chain to validate the server cert.
JoinNow has been installing both the AddTrust CA and USERTrust RSA CA on
devices during onboard for the last couple of years, so if the OS vendor
didn't install these certs then JoinNow did.

For us, Androids are expected to see the greatest potential impact on
May 31. This is because Android didn't (doesn't?) support two CA root
certs. And until fairly recently they only supported SHA-1. So the
AddTrust CA was used with dual intermediates. The good news is that
Androids that receive regular carrier updates should now support SHA-2.
That should be most if not all devices. Our latest JoinNow profile now
installs the USERTrust RSA CA cert on Androids. This will allow them to
build the cert chain to the radius cert. The problem is if users don't
re-run JoinNow to get the new root CA they will fail validity checking
when connecting to eduroam. This assumes the device was onboarded
previously or otherwise *correctly* configured to use validate server
cert. Our experience is that most users who DIY their Android eduroam
config tend to not enable validate server cert. It will be interesting
to see what percentage reruns JoinNow and who just "figures it out".

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39

On 5/27/20 8:42 AM, Tim Cappalli wrote:
>
> It will be a mixed bag across operating systems and even OS versions.
> There will not be a consistent user experience if the CA is not
> trusted by the OS.
>
>  
>
> * Tim Cappalli *| @timcappalli 
> Microsoft logo
>
>  
>
> *From: *Turner, Ryan H 
> *Sent: *Wednesday, May 27, 2020 08:40
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Subject: *Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>  
>
> Good question.  I do not know.  I assume there are plenty of people on
> this list with a lot more PEAP experience than me that can say.
>
>  
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv
>  *On Behalf Of *Hurt,Trenton W.
> *Sent:* Wednesday, May 27, 2020 8:20 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>  
>
> I was always told to use public signed for peap byod clients.   Will
> clients like windows/idevices prompt to trust a private signed cert?
> Is it just the connect/accept like the behavior with public signed?
>
>  
>
> Trent Hurt
>
>  
>
> University of Louisville
>
>  
>
> *From:*The EDUCAUSE Wireless Issues Community Group Listserv
>  > on behalf of Turner, Ryan
> H mailto:rhtur...@email.unc.edu>>
> *Sent:* Wednesday, May 27, 2020 8:16:24 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
>  >
> *Subject:* Re: [WIRELESS-LAN] securew2 root ca radius server cert change
>
>  
>
> *CAUTION:*This email originated from outside of our organization. Do
> not click links, open attachments, or respond unless you recognize the
> sender's email address and know the contents are safe.
>
> My guidance is for properly onboarded TLS devices.   It doesn’t apply
> to PEAL or anything else.  Actually, that does bring a wrinkle into my
> previous email.  If PEAP and TLS both exist, I am going to guess there
> will be more prompts or issues with a private CA (perhaps) 
>
> Ryan Turner
>
> Head of Networking, ITS
>
> The University of North Carolina at Chapel Hill
>
> +1 919 274 7926 Mobile
>
> +1 919 445 0113 Office
>
>  
>
> On May 26, 2020, at 8:21 PM, Hurt,Trenton W.
> mailto:trent.h...@louisville.edu>> wrote:
>
> 
>
> I’m also doing unmanned eap peap (yes I know all the security
> reasons against this)  if I don’t use public signed ca will byod
> devices be able to connect via eap peap with that private cert? 
>
>  
>
> Trent Hurt
>
>  
>
> University of Louisville
>
>  
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv
>  > on behalf of Turner,
> Ryan H mailto:rhtur...@email.unc.edu>>
> *Sent:* Tuesday, May 26, 2020 8:10 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Subject:* Re: [WIRELESS-LAN] securew2 root ca radius server cert
> change
>
>  
>
> *CAUTION:*This email originated from outside of our organization.
> Do not click links, open attachments, or respond 

RE: [WIRELESS-LAN] securew2 root ca radius server cert change

[Hurt,Trenton W.]

I was able to get things working.   My new cert root ca was cross signed by the 
old existing root ca.  I was able to chain these together and upload this as 
new rad server cert and both eap peap and my existing eap tls work with this 
chained cert.


I will be exploring ways to get off this public cert and unmanaged peap.  I 
don’t want to have to deal with this every 2 years.



Thanks

Trent

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Wednesday, May 27, 2020 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
It will be a mixed bag across operating systems and even OS versions. There 
will not be a consistent user experience if the CA is not trusted by the OS.


 Tim Cappalli |  
@timcappalli
[Microsoft logo]

From: Turner, Ryan H
Sent: Wednesday, May 27, 2020 08:40
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

Good question.  I do not know.  I assume there are plenty of people on this 
list with a lot more PEAP experience than me that can say.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Hurt,Trenton W.
Sent: Wednesday, May 27, 2020 8:20 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

I was always told to use public signed for peap byod clients.   Will clients 
like windows/idevices prompt to trust a private signed cert? Is it just the 
connect/accept like the behavior with public signed?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Wednesday, May 27, 2020 8:16:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 26, 2020, at 8:21 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Tuesday, May 26, 2020 8:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.



There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.



OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 

Cisco pre-DNA Spaces Location Service, Contact Tracing

[Lee H Badman]

I hope everyone on the list is doing well.

We are getting multiple vendor pitches these days for contact tracing 
“solutions”. From Cisco, our main network vendor, their pitch relies on DNA 
Spaces. We don’t use that yet,  and it’s no secret what is happening to many of 
our budgets.

 My question is specifically for Cisco legacy location services users. Are you 
all doing anything specific in anticipation of possibly needing to provide 
Wi-Fi location data for contact tracing? Are you being specifically asked about 
it by your management? 

I haven’t decided yet weather the vendors are being generally altruistic or 
opportunistic on this topic yet.

Regards,

Lee Badman (mobile)

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] securew2 root ca radius server cert change

[Tim Cappalli]

It will be a mixed bag across operating systems and even OS versions. There 
will not be a consistent user experience if the CA is not trusted by the OS.


 Tim Cappalli |  @timcappalli
[Microsoft logo]

From: Turner, Ryan H
Sent: Wednesday, May 27, 2020 08:40
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

Good question.  I do not know.  I assume there are plenty of people on this 
list with a lot more PEAP experience than me that can say.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Wednesday, May 27, 2020 8:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

I was always told to use public signed for peap byod clients.   Will clients 
like windows/idevices prompt to trust a private signed cert? Is it just the 
connect/accept like the behavior with public signed?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Wednesday, May 27, 2020 8:16:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 26, 2020, at 8:21 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Tuesday, May 26, 2020 8:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.



There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.



OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change



I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told 

RE: [WIRELESS-LAN] securew2 root ca radius server cert change

[Turner, Ryan H]

Good question.  I do not know.  I assume there are plenty of people on this 
list with a lot more PEAP experience than me that can say.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Wednesday, May 27, 2020 8:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

I was always told to use public signed for peap byod clients.   Will clients 
like windows/idevices prompt to trust a private signed cert? Is it just the 
connect/accept like the behavior with public signed?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Wednesday, May 27, 2020 8:16:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On May 26, 2020, at 8:21 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Tuesday, May 26, 2020 8:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.



There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.



OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change



I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that 

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Hurt,Trenton W.]

I was always told to use public signed for peap byod clients.   Will clients 
like windows/idevices prompt to trust a private signed cert? Is it just the 
connect/accept like the behavior with public signed?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Wednesday, May 27, 2020 8:16:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  wrote:


I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Tuesday, May 26, 2020 8:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.



There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.



OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change



I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.





**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the 

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Turner, Ryan H]

My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  wrote:


I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Tuesday, May 26, 2020 8:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and 

Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] securew2 and all the devices that don't support it.

[Walter Reynolds]

We do similar to those above. We user a modified version of Packet Fence
for registration of MAC devices.  SecureW2 for 1x devices and freeradius
for radius.  We have a SSID that is specifically for being able to set up
devices, both 802.1x and MAC based auth. The SSID is an open network that
will redirect users to a set up page - https://msetup.its.umich.edu/

This setup page gives you two options.  One for 1x devices that routes you
to the SecureW2 onboarding page.  The second is listed as other devices
with a few examples.  That redirects you to a page where it simply asks for
the MAC address of the device and for you to name it.  This page is
authenticated so the devices are automatically registered to the user.
They are also able to manage their devices (either renew or unregister)



Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Wed, May 27, 2020 at 1:20 AM Norton, Thomas (Network Operations) <
tnort...@liberty.edu> wrote:

> Hi there,
>
> We utilize securew2 for onboarding inline with clearpass as our NAC, and
> will soon integrate securew2 as our primary CA for EAP-TLS across campus.
> For all other devices that don’t support 802.1x, we utilize Mac auth and a
> custom portal we built in house using the clearpass guest api for device
> registration that integrates with the cppm guest database. We’re actually
> building upon it to add operator logins for departmental device management.
> Feel free to reach out direct, we’re very happy with both products.
>
> Get Outlook for iOS 
> --
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Klingaman, Ryan <
> rklinga...@carroll.edu>
> *Sent:* Tuesday, May 26, 2020 6:15:24 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* [External] [WIRELESS-LAN] securew2 and all the devices that
> don't support it.
>
> --
>
> [ EXTERNAL EMAIL: Do not click any links or open attachments unless you
> know the sender and trust the content. ]
> --
> I have been a long time user of Ruckus and Cloudpath and have been looking
> into Aruba and Clearpass lately. I see from this list that there are a few
> colleges that use securew2 in place of something like Clearpass or
> Cloudpath.
>
> My question is for those that use it, what is your solution for the gaming
> consoles, media players, virtual assistants, etc.?
>
> Do you only support hardwired on those devices (if they support that
> option)?
>
> Do you have a custom solution tied into the API of the wireless Vendor?
>
> Do you use two solutions such as Clearpass and Securew2?
>
> Thanks,
>
> Ryan
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> 
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community