Re: [WIRELESS-LAN] Eap-tls user experience

[Marsen Nuzi]

Securew2 recommended to disable connect to wireless option but the experience 
was not the same. It worked for big sur but not for windows, which makes me 
think that no matter what we do it will be an issue.

Marsen Nuzi
Information Technology


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Heavrin, Lynn 

Sent: Sunday, June 20, 2021 10:24:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Eap-tls user experience


In my experience it tried to connect then the user is greeted with a retry or 
close option if it didn’t succeed.  You can always create a new package just 
for remote users that won’t try to auto-connect if you are concerned about it.  
At the bottom of the profile when you edit it, you can just uncheck things you 
don’t want the package to do.



Thanks,



Lynn Heavrin

Network Engineer III | Network Engineering

Washington University in St. Louis

4480 Clayton Ave, St. Louis, MO 63110

Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu<mailto:lheav...@wustl.edu>







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Marsen Nuzi 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, June 18, 2021 at 4:51 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Eap-tls user experience





Hello All,

How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.



Thanks

Marsen Nuzi

Information Technology

71 5TH AVE, ROOM 913C,

NEW YORK, NY 10003

nu...@newschool.edu<mailto:nu...@newschool.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community





The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Eap-tls user experience

[Marsen Nuzi]

I have seen the same with big sur and windows, but as you said clients have the 
option to just continue and not retry when off campus.
Thanks

Marsen Nuzi
Information Technology


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Sunday, June 20, 2021 11:46:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Eap-tls user experience

For us, we always get a message when trying to connect that the ‘SSID is not in 
range’ if the person is onboarding off campus.  But the clients don’t need to 
attempt multiple times.  the devil is in the details.  What operating system 
are you seeing this with?  We are currently in Big Sur hell, but it looks like 
SecureW2 is testing a ‘big fix’ that should be ready next week.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 18, 2021, at 5:51 PM, Marsen Nuzi  wrote:



Hello All,
How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.

Thanks
Marsen Nuzi
Information Technology
71 5TH AVE, ROOM 913C,
NEW YORK, NY 10003
nu...@newschool.edu<mailto:nu...@newschool.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Eap-tls user experience

[Turner, Ryan H]

For us, we always get a message when trying to connect that the ‘SSID is not in 
range’ if the person is onboarding off campus.  But the clients don’t need to 
attempt multiple times.  the devil is in the details.  What operating system 
are you seeing this with?  We are currently in Big Sur hell, but it looks like 
SecureW2 is testing a ‘big fix’ that should be ready next week.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 18, 2021, at 5:51 PM, Marsen Nuzi  wrote:



Hello All,
How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.

Thanks
Marsen Nuzi
Information Technology
71 5TH AVE, ROOM 913C,
NEW YORK, NY 10003
nu...@newschool.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Eap-tls user experience

[Heavrin, Lynn]

In my experience it tried to connect then the user is greeted with a retry or 
close option if it didn’t succeed.  You can always create a new package just 
for remote users that won’t try to auto-connect if you are concerned about it.  
At the bottom of the profile when you edit it, you can just uncheck things you 
don’t want the package to do.

Thanks,

Lynn Heavrin
Network Engineer III | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-01
•: 314.935.3877 |  •:lheav...@wustl.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Marsen Nuzi 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, June 18, 2021 at 4:51 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Eap-tls user experience


Hello All,
How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.

Thanks
Marsen Nuzi
Information Technology
71 5TH AVE, ROOM 913C,
NEW YORK, NY 10003
nu...@newschool.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

[Jonathan Waldrep]

> When the supplicant is properly configured, it is not dependent on an
> individual leaf certificate and will not be impacted by the renewal of
> the EAP server certificate.

I thought we were talking about the client certs. Rereading the thread, I
was probably the only one thinking that.

Answering the PKI questions and expanding on Tim's response:
 1. The authentication server should present the whole chain, leaf to
root. The client should trust the root, and expect a specific CN in
the leaf. This is what lets you renew the leaf server certs without
reconfiguring clients. [1]
 2. The free eduroamCAT tool does this. Any on-boarding agent that is
worth using will, too.
 3a. As your private PKI is not part of the Browser/CA forum or any other
regulatory body, you are not required to have an HSM for your root
key. [2]
 3b. There is no use for an HSM if you are using the InCommon root. In
this scenario, only sensitive information that you have control over
is the key to the leaf cert.

[1] Note that this how the client authenticates the server, and therefore
is not specific to EAP/TLS.

[2] This does not necessarily mean you do not _want_ one. That is a
security decision that your group will have to make. All security involves
trade-offs, and trade-offs are subjective.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Wed, Feb 12, 2020 at 3:14 PM Cappalli, Tim (Aruba)  wrote:
>
> When the supplicant is properly configured, it is not dependent on an 
> individual leaf certificate and will not be impacted by the renewal of the 
> EAP server certificate.
>
>
>
> tim
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
> 
> Date: Friday, February 7, 2020 at 1:42 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2
>
> > Would you recommend we use an incommon public signed cert even if we’re 
> > able to have every BYOD client install our self-signed cert?
> No. The InCommon CA must adhere to the CA/Browser forum's rules for a
> CA. As such, the lifetime of the cert is limited to just over 2 years.
> Having a network connection break after 2 years, for no apparent
> reason, is a frustrating user experience. Using your own PKI/CA does
> not have this restriction.
>
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
>
> On Thu, Feb 6, 2020 at 9:26 PM Turner, Ryan H  wrote:
> >
> > I would suggest using SecureW2s PKI and not AD.  We ran SecureW2 integrated 
> > with the ADCS for about 5 or 6 years.  It works, but it adds some 
> > additional complexity that will cause you grief.  For example, let’s say 
> > one night the integration server that ties to SecureW2 patches and hangs 
> > after a reboot…. Or the process that handles the certificate request (a 
> > SecureW2 process on your AD server) dies… The users trying to onboard will 
> > get ambiguous errors, and you will spend a lot of time trying to figure out 
> > if the problem is 1) the user, 2) the cloud, 3) your AD integration server, 
> > 4) the certificate server.  It really helps to have everything in one 
> > basket.
> >
> >
> >
> > We switched to the SecureW2 cloud based PKI in January.  I am going to 
> > answer your other questions inline below…
> >
> >
> >
> > From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> >  on behalf of "Heavrin, Lynn" 
> > 
> > Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> > 
> > Date: Thursday, February 6, 2020 at 3:23 PM
> > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> > 
> > Subject: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2
> >
> >
> >
> > We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
> > recommendation of a couple big universities we talked with, we are looking 
> > at using SecureW2.  We have demoed it and it works great provisioning the 
> > clients and enrolling user certificates to their cloud PKI.  After bringing 
> > it up with our AD team, some questions were asked about possibly just using 
> > our ADCS.  We know we can use the ADCS with or without SecureW2 and will 
> > likely leverage SecureW2 anyway to point to it for nice features like OS 
> > detection and provisioning and a good dissolvable agent.  We use Cisco ISE 
> > for our RADIUS server and I much prefer SecureW2’s agent over ISE.
> >
> >
> >
> > I was asked a couple questions and I may or may not already know the 
> > answer, but it’d be great if someone with a little more PKI background 
> > could clarify:
> &

Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

[Cappalli, Tim (Aruba)]

When the supplicant is properly configured, it is not dependent on an 
individual leaf certificate and will not be impacted by the renewal of the EAP 
server certificate.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, February 7, 2020 at 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2
> Would you recommend we use an incommon public signed cert even if we’re able 
> to have every BYOD client install our self-signed cert?
No. The InCommon CA must adhere to the CA/Browser forum's rules for a
CA. As such, the lifetime of the cert is limited to just over 2 years.
Having a network connection break after 2 years, for no apparent
reason, is a frustrating user experience. Using your own PKI/CA does
not have this restriction.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Thu, Feb 6, 2020 at 9:26 PM Turner, Ryan H  wrote:
>
> I would suggest using SecureW2s PKI and not AD.  We ran SecureW2 integrated 
> with the ADCS for about 5 or 6 years.  It works, but it adds some additional 
> complexity that will cause you grief.  For example, let’s say one night the 
> integration server that ties to SecureW2 patches and hangs after a reboot…. 
> Or the process that handles the certificate request (a SecureW2 process on 
> your AD server) dies… The users trying to onboard will get ambiguous errors, 
> and you will spend a lot of time trying to figure out if the problem is 1) 
> the user, 2) the cloud, 3) your AD integration server, 4) the certificate 
> server.  It really helps to have everything in one basket.
>
>
>
> We switched to the SecureW2 cloud based PKI in January.  I am going to answer 
> your other questions inline below…
>
>
>
> From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>  on behalf of "Heavrin, Lynn" 
> 
> Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> 
> Date: Thursday, February 6, 2020 at 3:23 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2
>
>
>
> We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
> recommendation of a couple big universities we talked with, we are looking at 
> using SecureW2.  We have demoed it and it works great provisioning the 
> clients and enrolling user certificates to their cloud PKI.  After bringing 
> it up with our AD team, some questions were asked about possibly just using 
> our ADCS.  We know we can use the ADCS with or without SecureW2 and will 
> likely leverage SecureW2 anyway to point to it for nice features like OS 
> detection and provisioning and a good dissolvable agent.  We use Cisco ISE 
> for our RADIUS server and I much prefer SecureW2’s agent over ISE.
>
>
>
> I was asked a couple questions and I may or may not already know the answer, 
> but it’d be great if someone with a little more PKI background could clarify:
>
>
>
> Private PKI questions:
>
> Does every Managed and BYOD device have to trust the full chain of the 
> certificate?
>
> I don’t think you can make any assumptions.  As I recall, we install every 
> certificate and chain it all the way back to root.
>
> How do you install the trusted root and intermediate on a BYOD device?
>
> That is what SecureW2 does during the onboarding.
>
> For a private PKI with a self-signed cert do we need an HSM?  If we use 
> incommon root, would we need the HSM?
>
> I think this is extreme overkill.  If you are going to create a new PKI, it 
> should only be trusted on the RADIUS servers for campus internet 
> connectivity.  The certificate shouldn’t give access to any other campus 
> resource, so its value it extremely limited.
>
>
>
>
>
> SecureW2 Questions:
>
> Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and 
> intermediate on a BYOD device during enrollment?  If so then it shouldn’t 
> matter if we use a self-signed root or incommon public root right?
> We are also an incommon partner and can get root signed certs from them.  If 
> we used incommon root but pointed securew2 to our ADCS, would that be an 
> unnecessary step rather than just pointing SecureW2 straight to incommon like 
> we’re doing in our demo?
> Would you recommend we use an incommon public signed cert even if we’re able 
> to have every BYOD client install our self-signed cert?  We have unlimited 
> incommon certs.  We may already have been issuing user certs to all our 
> managed devices, just not doing anything with them.  One thing I thought was 
> that any BYOD could be incommon, and all managed would be self-signed and I 
> could just set ISE to trust both.
>
>
>
> I’ll make this simpl

Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

[Jonathan Waldrep]

> Would you recommend we use an incommon public signed cert even if we’re able 
> to have every BYOD client install our self-signed cert?
No. The InCommon CA must adhere to the CA/Browser forum's rules for a
CA. As such, the lifetime of the cert is limited to just over 2 years.
Having a network connection break after 2 years, for no apparent
reason, is a frustrating user experience. Using your own PKI/CA does
not have this restriction.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Thu, Feb 6, 2020 at 9:26 PM Turner, Ryan H  wrote:
>
> I would suggest using SecureW2s PKI and not AD.  We ran SecureW2 integrated 
> with the ADCS for about 5 or 6 years.  It works, but it adds some additional 
> complexity that will cause you grief.  For example, let’s say one night the 
> integration server that ties to SecureW2 patches and hangs after a reboot…. 
> Or the process that handles the certificate request (a SecureW2 process on 
> your AD server) dies… The users trying to onboard will get ambiguous errors, 
> and you will spend a lot of time trying to figure out if the problem is 1) 
> the user, 2) the cloud, 3) your AD integration server, 4) the certificate 
> server.  It really helps to have everything in one basket.
>
>
>
> We switched to the SecureW2 cloud based PKI in January.  I am going to answer 
> your other questions inline below…
>
>
>
> From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>  on behalf of "Heavrin, Lynn" 
> 
> Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> 
> Date: Thursday, February 6, 2020 at 3:23 PM
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2
>
>
>
> We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
> recommendation of a couple big universities we talked with, we are looking at 
> using SecureW2.  We have demoed it and it works great provisioning the 
> clients and enrolling user certificates to their cloud PKI.  After bringing 
> it up with our AD team, some questions were asked about possibly just using 
> our ADCS.  We know we can use the ADCS with or without SecureW2 and will 
> likely leverage SecureW2 anyway to point to it for nice features like OS 
> detection and provisioning and a good dissolvable agent.  We use Cisco ISE 
> for our RADIUS server and I much prefer SecureW2’s agent over ISE.
>
>
>
> I was asked a couple questions and I may or may not already know the answer, 
> but it’d be great if someone with a little more PKI background could clarify:
>
>
>
> Private PKI questions:
>
> Does every Managed and BYOD device have to trust the full chain of the 
> certificate?
>
> I don’t think you can make any assumptions.  As I recall, we install every 
> certificate and chain it all the way back to root.
>
> How do you install the trusted root and intermediate on a BYOD device?
>
> That is what SecureW2 does during the onboarding.
>
> For a private PKI with a self-signed cert do we need an HSM?  If we use 
> incommon root, would we need the HSM?
>
> I think this is extreme overkill.  If you are going to create a new PKI, it 
> should only be trusted on the RADIUS servers for campus internet 
> connectivity.  The certificate shouldn’t give access to any other campus 
> resource, so its value it extremely limited.
>
>
>
>
>
> SecureW2 Questions:
>
> Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and 
> intermediate on a BYOD device during enrollment?  If so then it shouldn’t 
> matter if we use a self-signed root or incommon public root right?
> We are also an incommon partner and can get root signed certs from them.  If 
> we used incommon root but pointed securew2 to our ADCS, would that be an 
> unnecessary step rather than just pointing SecureW2 straight to incommon like 
> we’re doing in our demo?
> Would you recommend we use an incommon public signed cert even if we’re able 
> to have every BYOD client install our self-signed cert?  We have unlimited 
> incommon certs.  We may already have been issuing user certs to all our 
> managed devices, just not doing anything with them.  One thing I thought was 
> that any BYOD could be incommon, and all managed would be self-signed and I 
> could just set ISE to trust both.
>
>
>
> I’ll make this simple.  While your situation may differ from ours, I do not 
> think there will be a compelling reason for you to use InCommon.  A Private 
> PKI is simple.  SecureW2 will easily install the chains.  You will not have 
> to worry about InCommon.  I’m just going to leave it at that.  While I don’t 
> have the precise number, I am fairly confident we’ve devices nearly 1M times 
> on SecureW2 (and previously Cloudpath).  When it comes to TLS, your absolute 
> best bet is to not complicate.  2048 length certs and SHA256 hash.  Simple.  
> Works.  No benefit to complicating.
>
>
>
> My 10 cents.
>
>
>
> Ryan
>
>
>
>
>
> Thanks,
>
>
>
> Lynn Heavrin
>
> Network Engineer II | Network Engineering
>
> 

Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

[Turner, Ryan H]

I would suggest using SecureW2s PKI and not AD.  We ran SecureW2 integrated 
with the ADCS for about 5 or 6 years.  It works, but it adds some additional 
complexity that will cause you grief.  For example, let’s say one night the 
integration server that ties to SecureW2 patches and hangs after a reboot…. Or 
the process that handles the certificate request (a SecureW2 process on your AD 
server) dies… The users trying to onboard will get ambiguous errors, and you 
will spend a lot of time trying to figure out if the problem is 1) the user, 2) 
the cloud, 3) your AD integration server, 4) the certificate server.  It really 
helps to have everything in one basket.

We switched to the SecureW2 cloud based PKI in January.  I am going to answer 
your other questions inline below…

From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"  
on behalf of "Heavrin, Lynn" 
Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

Date: Thursday, February 6, 2020 at 3:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
recommendation of a couple big universities we talked with, we are looking at 
using SecureW2.  We have demoed it and it works great provisioning the clients 
and enrolling user certificates to their cloud PKI.  After bringing it up with 
our AD team, some questions were asked about possibly just using our ADCS.  We 
know we can use the ADCS with or without SecureW2 and will likely leverage 
SecureW2 anyway to point to it for nice features like OS detection and 
provisioning and a good dissolvable agent.  We use Cisco ISE for our RADIUS 
server and I much prefer SecureW2’s agent over ISE.

I was asked a couple questions and I may or may not already know the answer, 
but it’d be great if someone with a little more PKI background could clarify:

Private PKI questions:

  1.  Does every Managed and BYOD device have to trust the full chain of the 
certificate?
I don’t think you can make any assumptions.  As I recall, we install every 
certificate and chain it all the way back to root.

  1.  How do you install the trusted root and intermediate on a BYOD device?
That is what SecureW2 does during the onboarding.

  1.  For a private PKI with a self-signed cert do we need an HSM?  If we use 
incommon root, would we need the HSM?
I think this is extreme overkill.  If you are going to create a new PKI, it 
should only be trusted on the RADIUS servers for campus internet connectivity.  
The certificate shouldn’t give access to any other campus resource, so its 
value it extremely limited.


SecureW2 Questions:

  1.  Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and 
intermediate on a BYOD device during enrollment?  If so then it shouldn’t 
matter if we use a self-signed root or incommon public root right?
  2.  We are also an incommon partner and can get root signed certs from them.  
If we used incommon root but pointed securew2 to our ADCS, would that be an 
unnecessary step rather than just pointing SecureW2 straight to incommon like 
we’re doing in our demo?
  3.  Would you recommend we use an incommon public signed cert even if we’re 
able to have every BYOD client install our self-signed cert?  We have unlimited 
incommon certs.  We may already have been issuing user certs to all our managed 
devices, just not doing anything with them.  One thing I thought was that any 
BYOD could be incommon, and all managed would be self-signed and I could just 
set ISE to trust both.

I’ll make this simple.  While your situation may differ from ours, I do not 
think there will be a compelling reason for you to use InCommon.  A Private PKI 
is simple.  SecureW2 will easily install the chains.  You will not have to 
worry about InCommon.  I’m just going to leave it at that.  While I don’t have 
the precise number, I am fairly confident we’ve devices nearly 1M times on 
SecureW2 (and previously Cloudpath).  When it comes to TLS, your absolute best 
bet is to not complicate.  2048 length certs and SHA256 hash.  Simple.  Works.  
No benefit to complicating.

My 10 cents.

Ryan


Thanks,

Lynn Heavrin
Network Engineer II | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-1200
•: 314.935.3877 |  •:lheav...@wustl.edu


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the 

RE: [WIRELESS-LAN] EAP-TLS

[Turner, Ryan H]

I haven’t heard that.  I’ll forward it on.  I had not seen this reply, so I 
resent my email.  For some reason, I didn’t get a copy of my posting yesterday 
so I thought it had not went through.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jonathan Waldrep
Sent: Wednesday, August 16, 2017 5:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> This weekend we will onboard probably 50,000 devices for TLS, and for the 
> most part, it is no longer a huge support issue.  The biggest issues are 
> around Android.  Just about every other operating system works very easily 
> (OSX can be a pain, but that revolves around entering a local admin account 
> password multiple times).  So I would say how big of a problem you will have 
> will be impacted, to some degree, by predominant client count.  Android is 
> less than 10% of our wireless user base, but is over half the support calls.  
> When we switched to SecureW2, this got much better, however.

I like android, but it is definitely the worst of the major platforms to 
correctly onboard. Something interesting that is new to the platform is 
"instant apps". This lets you run a full app from a link, without installing 
the app. Onboarding tools are an excellent use case for this.

No more hitting a captive portal to redirect you to the play store, to go back 
to the web page, click a link that opens the apps, blah, blah, blah, forget to 
uninstall the now useless app. (Yes, I know not all the on boarding tools are 
quite that ugly, but they are generally some variant of that). With an instant 
app, you would hit the captive portal, click a link to setup the profile, and 
it would just open the app (which you never had to go to the play store to 
install), and go from there.

So, Ruckus, Aruba, SecureW2, and others, if you are not already looking at 
this, please do. It is only supported on Android 7 (maybe even 7.1) and up, so 
it isn't going to help a lot of people *today*, but is definitely will in the 
future.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Jonathan Waldrep]

> This weekend we will onboard probably 50,000 devices for TLS, and for the
most part, it is no longer a huge support issue.  The biggest issues are
around Android.  Just about every other operating system works very easily
(OSX can be a pain, but that revolves around entering a local admin account
password multiple times).  So I would say how big of a problem you will
have will be impacted, to some degree, by predominant client count.
Android is less than 10% of our wireless user base, but is over half the
support calls.  When we switched to SecureW2, this got much better, however.

I like android, but it is definitely the worst of the major platforms to
correctly onboard. Something interesting that is new to the platform is
"instant apps". This lets you run a full app from a link, without
installing the app. Onboarding tools are an excellent use case for this.

No more hitting a captive portal to redirect you to the play store, to go
back to the web page, click a link that opens the apps, blah, blah, blah,
forget to uninstall the now useless app. (Yes, I know not all the on
boarding tools are quite that ugly, but they are generally some variant of
that). With an instant app, you would hit the captive portal, click a link
to setup the profile, and it would just open the app (which you never had
to go to the play store to install), and go from there.

So, Ruckus, Aruba, SecureW2, and others, if you are not already looking at
this, please do. It is only supported on Android 7 (maybe even 7.1) and up,
so it isn't going to help a lot of people *today*, but is definitely will
in the future.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Hunter Fuller]

These risks have proven easier to swallow for us. When we have trouble, we
blacklist the username. So far, that has been effective.

On Tue, Aug 15, 2017 at 12:59 Jeffrey D. Sessler <j...@scrippscollege.edu>
wrote:

> “Our campus isn't comfortable with an open ESSID without verifying the
> identity of the user, so that's the value of eduroam - identity.”
>
>
>
> How exactly have you verified the identity of the user? Is it blind trust
> that other EDUs verify and manage identity in the same fashion that your
> campus does? A device that shows up with an account that grants access to
> eduroam is not verification of the person’s identity.
>
>
>
> There are EDUs out there that hand out free (and unverified or lightly
> verified) accounts to their local public, parents, guests, and so on with
> no questions asked. The person fills in a basic online form and they are
> granted an account with limited rights – typically including Library and
> WIFi access. How many of those accounts also work on eduroam?
>
>
>
> It could be interesting to look at the global eduroam data to see just how
> often accounts show up in multiple places simultaneously.
>
>
>
> Jeff
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Hunter Fuller <
> hf0...@uah.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Tuesday, August 15, 2017 at 7:54 AM
> *To: *"wireless-lan@listserv.educause.edu" <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Our campus isn't comfortable with an open ESSID without verifying the
> identity of the user, so that's the value of eduroam - identity.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

“Our campus isn't comfortable with an open ESSID without verifying the identity 
of the user, so that's the value of eduroam - identity.”

How exactly have you verified the identity of the user? Is it blind trust that 
other EDUs verify and manage identity in the same fashion that your campus 
does? A device that shows up with an account that grants access to eduroam is 
not verification of the person’s identity.

There are EDUs out there that hand out free (and unverified or lightly 
verified) accounts to their local public, parents, guests, and so on with no 
questions asked. The person fills in a basic online form and they are granted 
an account with limited rights – typically including Library and WIFi access. 
How many of those accounts also work on eduroam?

It could be interesting to look at the global eduroam data to see just how 
often accounts show up in multiple places simultaneously.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of Hunter Fuller <hf0...@uah.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, August 15, 2017 at 7:54 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Our campus isn't comfortable with an open ESSID without verifying the identity 
of the user, so that's the value of eduroam - identity.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] EAP-TLS

[Lee H Badman]

I know we use it as well... 

Lee Badman | Network Architect 

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Misra, Sapna
Sent: Tuesday, August 15, 2017 11:38 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Hi Bruce,

I am curious about your statement "We have been a CloudPath Wizard customer for 
years. Since this product has been deprecated, we are evaluating onboarding 
vendors." 
Is Ruckus not going to support it anymore? 

Best,

Sapna Misra | Senior Network Engineer | Information Technology | Vanderbilt 
University Medical Center
sapna.tripa...@vanderbilt.edu | Phone 615-875-8876 



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce
Sent: Monday, August 14, 2017 11:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS


> On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> Jerry,
> 
>  
> 
> I find some of your comments interesting. We have many things in common. We 
> are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC 
> Auth. Although we initially designed for full Cisco wired 802.1X we have been 
> running a strange Cisco config that uses it somewhat but does not restrict 
> unauthenticated devices.
> 
>  
> 
> We have been a CloudPath Wizard customer for years. Since this product has 
> been deprecated, we are evaluating onboarding vendors. We have an engineer 
> from a former government contractor who wants us to move to EAP-TLS. So far, 
> we have found ClearPass Onboard licensing costs to be much higher than the 
> other vendors.
> 
>  
> 
> I have been having a big challenge on how to configure 802.1x (likely 
> PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have many new 
> users. We are currently doing User auth for MacOS but that requires an 
> initial logon on wired to get the user profile stored locally. I have tried 
> using MacOS Logon profile but I find if a user typoes their password that 
> although they are prompted for a new password, the system still tries to use 
> the old one during that time and locks the user account ☹
> 
>  
> 
> What are people here doing for 802.1X and MacOS Labs? We are seeing a trend 
> for wireless Labs with dedicated APs & SSID for the machines because the cost 
> is much less than having a network drop per machine. Our current wireless 
> MacOS Lab was implemented last summer with a PSK as a temporary workaround. 
> We definitely need to move away from that. Windows handles 802.1X much 
> better, IMHO.

  We have had MacOS Labs use EAP-TLS in the past.  I haven’t checked with our 
cluster folks to see if we have an instance of that right now with current 
MacOS X versions.

  With the config we used the Macs were connected to the wireless network 
whenever they were powered on.  


  These links seem similar to what I remember we did.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.afp548.com%2F2012%2F11%2F20%2F802-1x-eaptls-machine-auth-mtlion-adcerts%2F=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=4pQ1zfJ6W19Pwwo3%2B5NjpyICXIefw2thgK6RGOL5wf8%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntsystems.it%2Fpost%2Fjoining-wifi-before-login-on-mac-os-x-108=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=YSfAxEw8gU%2FrD6%2B%2Fs1jOYRj0qmU%2BZQngjTsMUw4wN3I%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6763950%3Fstart%3D0=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=IkakfmYPXS5W9qIh0FVj7Gd%2Fcl2M3T3fWFCHm22JDbc%3D=0



This link is about a different problem but one of the posts mentions

"No issues here. We have profile-based Wifi logon to accomplish a machine-auth 
type deal on our Macs, so nothing with certs (we're an AD shop).

Upgraded from 10.12.4 to 10.12.5 on test machine”

So it sounds like it is still doable although the quote above doesn’t use 
EAP-TLS.



This info might be helpful

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkevinbecker.org%2Fblog%2F2015%2F03%2F26%2Fmac-os-x-wpa2-enterprise-authentication-usi

RE: [WIRELESS-LAN] EAP-TLS

[Misra, Sapna]

Hi Bruce,

I am curious about your statement "We have been a CloudPath Wizard customer for 
years. Since this product has been deprecated, we are evaluating onboarding 
vendors." 
Is Ruckus not going to support it anymore? 

Best,

Sapna Misra | Senior Network Engineer | Information Technology | Vanderbilt 
University Medical Center
sapna.tripa...@vanderbilt.edu | Phone 615-875-8876 



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce
Sent: Monday, August 14, 2017 11:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS


> On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> Jerry,
> 
>  
> 
> I find some of your comments interesting. We have many things in common. We 
> are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC 
> Auth. Although we initially designed for full Cisco wired 802.1X we have been 
> running a strange Cisco config that uses it somewhat but does not restrict 
> unauthenticated devices.
> 
>  
> 
> We have been a CloudPath Wizard customer for years. Since this product has 
> been deprecated, we are evaluating onboarding vendors. We have an engineer 
> from a former government contractor who wants us to move to EAP-TLS. So far, 
> we have found ClearPass Onboard licensing costs to be much higher than the 
> other vendors.
> 
>  
> 
> I have been having a big challenge on how to configure 802.1x (likely 
> PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have many new 
> users. We are currently doing User auth for MacOS but that requires an 
> initial logon on wired to get the user profile stored locally. I have tried 
> using MacOS Logon profile but I find if a user typoes their password that 
> although they are prompted for a new password, the system still tries to use 
> the old one during that time and locks the user account ☹
> 
>  
> 
> What are people here doing for 802.1X and MacOS Labs? We are seeing a trend 
> for wireless Labs with dedicated APs & SSID for the machines because the cost 
> is much less than having a network drop per machine. Our current wireless 
> MacOS Lab was implemented last summer with a PSK as a temporary workaround. 
> We definitely need to move away from that. Windows handles 802.1X much 
> better, IMHO.

  We have had MacOS Labs use EAP-TLS in the past.  I haven’t checked with our 
cluster folks to see if we have an instance of that right now with current 
MacOS X versions.

  With the config we used the Macs were connected to the wireless network 
whenever they were powered on.  


  These links seem similar to what I remember we did.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.afp548.com%2F2012%2F11%2F20%2F802-1x-eaptls-machine-auth-mtlion-adcerts%2F=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=4pQ1zfJ6W19Pwwo3%2B5NjpyICXIefw2thgK6RGOL5wf8%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntsystems.it%2Fpost%2Fjoining-wifi-before-login-on-mac-os-x-108=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=YSfAxEw8gU%2FrD6%2B%2Fs1jOYRj0qmU%2BZQngjTsMUw4wN3I%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6763950%3Fstart%3D0=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=IkakfmYPXS5W9qIh0FVj7Gd%2Fcl2M3T3fWFCHm22JDbc%3D=0



This link is about a different problem but one of the posts mentions

"No issues here. We have profile-based Wifi logon to accomplish a machine-auth 
type deal on our Macs, so nothing with certs (we're an AD shop).

Upgraded from 10.12.4 to 10.12.5 on test machine”

So it sounds like it is still doable although the quote above doesn’t use 
EAP-TLS.



This info might be helpful

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkevinbecker.org%2Fblog%2F2015%2F03%2F26%2Fmac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908=3eNw04iDPy60exbATbHU1eHlpQUJaZovczh2Qm5jLSg%3D=0

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhelp.apple.com%2Fprofilemanager%2Fmac%2F2.1%2F%23apd07AA-30C6-4FD2-B2E0-E0C95658A2C4=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754558908=d%2BDxaEYv52Mc%2F21NkDMmTwngnRc8MIOCLAa3LyI7QQU%3D=0




&g

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

I just realized that I gave a +1 for EAP-TLS
(and yes, it give a +1 for Open Networks ;-)

That contaminated laptop might force the remote IDP to block the user acoount! 
With PEAP, that will also block that user from using a smart phone as a backup 
plan.
With EAP-TLS, the remote IDP could just revoke the certificate of the laptop!

We also see a big + for EAP-TLS at campuses that have strong password renewal 
policies.
Every 6 months or so, after the password change  802.1X devices will fail, and 
supplicants are terrible at letting users know that the password is the culprit!

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






> On Aug 15, 2017, at 11:38 AM, Philippe Hanset <phan...@anyroam.net> wrote:
> 
> Ian,
> 
> Definitely black list the MAC first, then contact either us (eduroam.us 
> <http://eduroam.us/>) or the local campus (abuse@realm)
> or you could even contact the user directly since the majority of users have 
> their email as an outer identity.
> (assuming that the malware is not preventing the user from checking email 
> …but hopefully their uncontaminated smart phone
> is on eduroam too ;-)
> 
> How does a user from 2000 miles away register on a network that requires a 
> phone number?
> They need a International plan? (costly, but getting cheaper!)
> How do you contact a user from 2000 miles away that is visiting your campus 
> and for whom you have an International number? You place an International 
> call?
> You could send a text (we face that same dilemma with the ANYROAM service) 
> but not all IT  shops have International texting easily accessible.
> 
> We have had a few of those in the past and honestly, there isn’t any perfect 
> solution!
> 
> Philippe
> 
> Philippe Hanset, CEO
> www.anyroam.net <http://www.anyroam.net/>
> www.eduroam.us <http://www.eduroam.us/>
> +1 (865) 236-0770
> 
> GPG key id: 0xF2636F9C
> 
> 
> 
>> On Aug 15, 2017, at 10:57 AM, Ian Lyons <ily...@rollins.edu 
>> <mailto:ily...@rollins.edu>> wrote:
>> 
>> What is the process if  X user (EduRoam) has a lot of malware and is sharing 
>> it on your network.  But home institution is 2000 miles away…
>>  
>> Black list MAC and call it a day?  Notify eduroam?  Home institution?  
>> Geiger-Counter person and tell them?
>>  
>> My guest account requires active phone number for user to get on the network.
>>  
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Hunter Fuller
>> Sent: Tuesday, August 15, 2017 10:54 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@listserv.educause.edu>
>> Subject: Re: [WIRELESS-LAN] EAP-TLS
>>  
>> Our campus isn't comfortable with an open ESSID without verifying the 
>> identity of the user, so that's the value of eduroam - identity. 
>>  
>> On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler <j...@scrippscollege.edu 
>> <mailto:j...@scrippscollege.edu>> wrote:
>> Couple of comments:
>> 
>>  
>> 
>> eduroam – using your point of “…most users can access what they want 
>> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
>> Back in the day, this would facilitate quick access for a visiting educator 
>> who may be collaborating with someone locally and needing access to local 
>> resources. Today, in age of cloud-based collaboration platforms and access 
>> from anywhere, how important is eduroam over an open wifi network? With few 
>> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
>> value here, but does add complexity to manage. 
>> Location data – Yeah, this can have some value, but at least here, our 
>> emergency management moved to mobile-based applications that allow the user 
>> to opt-in to being tracked with the addition of panic-button-like services. 
>> I tend to shy away from using location-based services within WiFi where 
>> life-safety is involved. It can be a wonderful tool, until it doesn’t work 
>> that one-time management believes it should. In other words, finding a 
>> missing AV cart is different than a missing person.
>> Jeff
>> 
>>  
>> 
>> On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group 
>> Listserv on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of 
>> jason.c...@adelaide.edu.au <mailto:jason.c...@adelaide.edu.au>> wrote:

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

Ian,

Definitely black list the MAC first, then contact either us (eduroam.us 
<http://eduroam.us/>) or the local campus (abuse@realm)
or you could even contact the user directly since the majority of users have 
their email as an outer identity.
(assuming that the malware is not preventing the user from checking email …but 
hopefully their uncontaminated smart phone
is on eduroam too ;-)

How does a user from 2000 miles away register on a network that requires a 
phone number?
They need a International plan? (costly, but getting cheaper!)
How do you contact a user from 2000 miles away that is visiting your campus and 
for whom you have an International number? You place an International call?
You could send a text (we face that same dilemma with the ANYROAM service) but 
not all IT  shops have International texting easily accessible.

We have had a few of those in the past and honestly, there isn’t any perfect 
solution!

Philippe

Philippe Hanset, CEO
www.anyroam.net <http://www.anyroam.net/>
www.eduroam.us <http://www.eduroam.us/>
+1 (865) 236-0770

GPG key id: 0xF2636F9C



> On Aug 15, 2017, at 10:57 AM, Ian Lyons <ily...@rollins.edu> wrote:
> 
> What is the process if  X user (EduRoam) has a lot of malware and is sharing 
> it on your network.  But home institution is 2000 miles away…
>  
> Black list MAC and call it a day?  Notify eduroam?  Home institution?  
> Geiger-Counter person and tell them?
>  
> My guest account requires active phone number for user to get on the network.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Hunter Fuller
> Sent: Tuesday, August 15, 2017 10:54 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@listserv.educause.edu>
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>  
> Our campus isn't comfortable with an open ESSID without verifying the 
> identity of the user, so that's the value of eduroam - identity. 
>  
> On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler <j...@scrippscollege.edu 
> <mailto:j...@scrippscollege.edu>> wrote:
> Couple of comments:
> 
>  
> 
> eduroam – using your point of “…most users can access what they want 
> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
> Back in the day, this would facilitate quick access for a visiting educator 
> who may be collaborating with someone locally and needing access to local 
> resources. Today, in age of cloud-based collaboration platforms and access 
> from anywhere, how important is eduroam over an open wifi network? With few 
> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
> value here, but does add complexity to manage. 
> Location data – Yeah, this can have some value, but at least here, our 
> emergency management moved to mobile-based applications that allow the user 
> to opt-in to being tracked with the addition of panic-button-like services. I 
> tend to shy away from using location-based services within WiFi where 
> life-safety is involved. It can be a wonderful tool, until it doesn’t work 
> that one-time management believes it should. In other words, finding a 
> missing AV cart is different than a missing person.
> Jeff
> 
>  
> 
> On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of 
> jason.c...@adelaide.edu.au <mailto:jason.c...@adelaide.edu.au>> wrote:
> 
>  
> 
> This is a good topic, we are slowly moving towards a preferred EAP-TLS 
> from PEAP-MChapv2 but not current date to force and perhaps never. The points 
> made about why do we bother at all though are pretty relevant, most users can 
> access what they want off-campus from whatever network they want, and VPN for 
> more restricted access. So a properly segmented internal network providing 
> appropriate access would be fine. *PSK/ open networks are theoretically ok.
> 
> 
> 
> At this point we are still confident that dot1x based auth is still the 
> best way to go for users accessing our wifi, though this discussion has 
> certainly opened my eyes a lot.
> 
> 
> 
> 
> 
> There's a couple of other reasons though why dot1x (which ever method) 
> does have advantages to us. This may not be relevant to all, and there maybe 
> better/other ways.
> 
> 
> 
> eduroam will break down via other methods, so you'll still need to manage 
> a dot1x service no matter what. Then you have still have calls to SD because 
> the service is now different when you want to use 

Re: [WIRELESS-LAN] EAP-TLS

[Philippe Hanset]

> On Aug 15, 2017, at 10:47 AM, Jeffrey D. Sessler  
> wrote:
> 
> Couple of comments:
>  
> eduroam – using your point of “…most users can access what they want 
> off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. 
> Back in the day, this would facilitate quick access for a visiting educator 
> who may be collaborating with someone locally and needing access to local 
> resources. Today, in age of cloud-based collaboration platforms and access 
> from anywhere, how important is eduroam over an open wifi network? With few 
> exceptions, all the visitor needs is Internet access. eduroam doesn’t add 
> value here, but does add complexity to manage.


I will not argue against Open WiFi networks… I miss them big time !
(and I’m not talking about those pesky ones that make you watch an 
advertisement and/or shut off after 30 minutes)

eduroam was created in Europe because many states have non-competitive 
requirements for Internet Access.
A state provided resource cannot always be shared with the general public in 
many countries, and eduroam is an acceptable solution to their regulators.
If I remember well some states in the US (or even Local Gov) have similar 
requirements.

With the other various legal requirements that we face in the US (DMCA, CALEA, 
…) it seems that eduroam answers at least a few of them
and allows schools to give instant access to visiting Faculty/Staff/Students 
without having to bug those users for local sponsored accounts.

Which CIO will let you have an Open WiFi today? 
For a campus in a rural environment, why not. For a campus in a populated city, 
you better hone your bandwidth contract skills,
and the user experience will most likely suffer. 

Rural or not, I still would like an eduroam flag on the map for Antartica  ;-)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C









**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Michael Davis]

Blacklist MAC, Notify Eduroam to inform home institution, inform local 
Help Desk in case they

get a call.  Works for DMCA letters too.


On 8/15/17 10:57 AM, Ian Lyons wrote:


What is the process if  X user (EduRoam) has a lot of malware and is 
sharing it on your network.  But home institution is 2000 miles away…


Black list MAC and call it a day?  Notify eduroam?  Home institution?  
Geiger-Counter person and tell them?


My guest account requires active phone number for user to get on the 
network.


*From:*The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller

*Sent:* Tuesday, August 15, 2017 10:54 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] EAP-TLS

Our campus isn't comfortable with an open ESSID without verifying the 
identity of the user, so that's the value of eduroam - identity.


On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler 
<j...@scrippscollege.edu <mailto:j...@scrippscollege.edu>> wrote:


Couple of comments:

  * eduroam – using your point of “…most users can access what
they want off-campus…”, what long-term value is there to
eduroam? IMHO – not at lot. Back in the day, this would
facilitate quick access for a visiting educator who may be
collaborating with someone locally and needing access to local
resources. Today, in age of cloud-based collaboration
platforms and access from anywhere, how important is eduroam
over an open wifi network? With few exceptions, all the
visitor needs is Internet access. eduroam doesn’t add value
here, but does add complexity to manage.
  * Location data – Yeah, this can have some value, but at least
here, our emergency management moved to mobile-based
applications that allow the user to opt-in to being tracked
with the addition of panic-button-like services. I tend to shy
away from using location-based services within WiFi where
life-safety is involved. It can be a wonderful tool, until it
doesn’t work that one-time management believes it should. In
other words, finding a missing AV cart is different than a
missing person.

Jeff

On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent
Group Listserv on behalf of Jason Cook"
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of
jason.c...@adelaide.edu.au <mailto:jason.c...@adelaide.edu.au>> wrote:

This is a good topic, we are slowly moving towards a preferred
EAP-TLS from PEAP-MChapv2 but not current date to force and
perhaps never. The points made about why do we bother at all
though are pretty relevant, most users can access what they want
off-campus from whatever network they want, and VPN for more
restricted access. So a properly segmented internal network
providing appropriate access would be fine. *PSK/ open networks
are theoretically ok.

At this point we are still confident that dot1x based auth is
still the best way to go for users accessing our wifi, though this
discussion has certainly opened my eyes a lot.

There's a couple of other reasons though why dot1x (which ever
method) does have advantages to us. This may not be relevant to
all, and there maybe better/other ways.

eduroam will break down via other methods, so you'll still
need to manage a dot1x service no matter what. Then you have still
have calls to SD because the service is now different when you
want to use it, requires special setup that's different to
on-campus.We've had Cloudpath a while, originally for PEAP config
and now TLS. We do roll with a main SSID so our onboarding will
configure our network  UofA and eduroam and users will just work
wherever they go once done.

Occasionally for security reasons we use location data to
track missing people. This is possible without auth to network
data but it's better having that auth data. Same goes for
identifying users acting inappropriately online. User ID to IP
mapping is also fed into our firewall for web filtering exceptions
(including group and personal)

Originally we went with Cloudpath to help users get configured
easier which worked well (though this is less of requirement with
auto-configs now pretty good), as well as properly since
auto-config on OS's doesn't get the certificate right (so it
ensure proper config). Configuring eduroam at the same time for
windows was problematic however with PEAP (can't remember other
OS's). As it would only save 1 SSID User info properly, so the
second SSID it wouldn't save user ID and users would get prompted
and not add the @adelaide.edu.au <http://adelaide.edu.au> .. TLS
resolves that little wi

RE: [WIRELESS-LAN] EAP-TLS

[Ian Lyons]

What is the process if  X user (EduRoam) has a lot of malware and is sharing it 
on your network.  But home institution is 2000 miles away…

Black list MAC and call it a day?  Notify eduroam?  Home institution?  
Geiger-Counter person and tell them?

My guest account requires active phone number for user to get on the network.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Tuesday, August 15, 2017 10:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Our campus isn't comfortable with an open ESSID without verifying the identity 
of the user, so that's the value of eduroam - identity.

On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>> wrote:

Couple of comments:



  *   eduroam – using your point of “…most users can access what they want 
off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. Back 
in the day, this would facilitate quick access for a visiting educator who may 
be collaborating with someone locally and needing access to local resources. 
Today, in age of cloud-based collaboration platforms and access from anywhere, 
how important is eduroam over an open wifi network? With few exceptions, all 
the visitor needs is Internet access. eduroam doesn’t add value here, but does 
add complexity to manage.
  *   Location data – Yeah, this can have some value, but at least here, our 
emergency management moved to mobile-based applications that allow the user to 
opt-in to being tracked with the addition of panic-button-like services. I tend 
to shy away from using location-based services within WiFi where life-safety is 
involved. It can be a wonderful tool, until it doesn’t work that one-time 
management believes it should. In other words, finding a missing AV cart is 
different than a missing person.

Jeff



On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Jason Cook" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>> 
wrote:



This is a good topic, we are slowly moving towards a preferred EAP-TLS from 
PEAP-MChapv2 but not current date to force and perhaps never. The points made 
about why do we bother at all though are pretty relevant, most users can access 
what they want off-campus from whatever network they want, and VPN for more 
restricted access. So a properly segmented internal network providing 
appropriate access would be fine. *PSK/ open networks are theoretically ok.



At this point we are still confident that dot1x based auth is still the 
best way to go for users accessing our wifi, though this discussion has 
certainly opened my eyes a lot.





There's a couple of other reasons though why dot1x (which ever method) does 
have advantages to us. This may not be relevant to all, and there maybe 
better/other ways.



eduroam will break down via other methods, so you'll still need to manage a 
dot1x service no matter what. Then you have still have calls to SD because the 
service is now different when you want to use it, requires special setup that's 
different to on-campus.We've had Cloudpath a while, originally for PEAP config 
and now TLS. We do roll with a main SSID so our onboarding will configure our 
network  UofA and eduroam and users will just work wherever they go once done.



Occasionally for security reasons we use location data to track missing 
people. This is possible without auth to network data but it's better having 
that auth data. Same goes for identifying users acting inappropriately online. 
User ID to IP mapping is also fed into our firewall for web filtering 
exceptions (including group and personal)



Originally we went with Cloudpath to help users get configured easier which 
worked well (though this is less of requirement with auto-configs now pretty 
good), as well as properly since auto-config on OS's doesn't get the 
certificate right (so it ensure proper config). Configuring eduroam at the same 
time for windows was problematic however with PEAP (can't remember other OS's). 
As it would only save 1 SSID User info properly, so the second SSID it wouldn't 
save user ID and users would get prompted and not add the 
@adelaide.edu.au<http://adelaide.edu.au> .. TLS resolves that little windows 
issue.



So for us one additional positive the EAP-TLS over PEAP but overall 
user-auth has its value.







--

Jason Cook

Technology Services

The University of Adelaide, AUSTRALIA 5005

Ph: +61 8 8313 4800



-Original Message-

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee

Re: [WIRELESS-LAN] EAP-TLS

[Hunter Fuller]

Our campus isn't comfortable with an open ESSID without verifying the
identity of the user, so that's the value of eduroam - identity.

On Tue, Aug 15, 2017 at 10:47 Jeffrey D. Sessler <j...@scrippscollege.edu>
wrote:

> Couple of comments:
>
>
>
>- eduroam – using your point of “…most users can access what they want
>off-campus…”, what long-term value is there to eduroam? IMHO – not at lot.
>Back in the day, this would facilitate quick access for a visiting educator
>who may be collaborating with someone locally and needing access to local
>resources. Today, in age of cloud-based collaboration platforms and access
>from anywhere, how important is eduroam over an open wifi network? With few
>exceptions, all the visitor needs is Internet access. eduroam doesn’t add
>value here, but does add complexity to manage.
>- Location data – Yeah, this can have some value, but at least here,
>our emergency management moved to mobile-based applications that allow the
>user to opt-in to being tracked with the addition of panic-button-like
>services. I tend to shy away from using location-based services within WiFi
>where life-safety is involved. It can be a wonderful tool, until it doesn’t
>work that one-time management believes it should. In other words, finding a
>missing AV cart is different than a missing person.
>
> Jeff
>
>
>
> On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group
> Listserv on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on
> behalf of jason.c...@adelaide.edu.au> wrote:
>
>
>
> This is a good topic, we are slowly moving towards a preferred EAP-TLS
> from PEAP-MChapv2 but not current date to force and perhaps never. The
> points made about why do we bother at all though are pretty relevant, most
> users can access what they want off-campus from whatever network they want,
> and VPN for more restricted access. So a properly segmented internal
> network providing appropriate access would be fine. *PSK/ open networks are
> theoretically ok.
>
>
>
> At this point we are still confident that dot1x based auth is still
> the best way to go for users accessing our wifi, though this discussion has
> certainly opened my eyes a lot.
>
>
>
>
>
> There's a couple of other reasons though why dot1x (which ever method)
> does have advantages to us. This may not be relevant to all, and there
> maybe better/other ways.
>
>
>
> eduroam will break down via other methods, so you'll still need to
> manage a dot1x service no matter what. Then you have still have calls to SD
> because the service is now different when you want to use it, requires
> special setup that's different to on-campus.We've had Cloudpath a while,
> originally for PEAP config and now TLS. We do roll with a main SSID so our
> onboarding will configure our network  UofA and eduroam and users will just
> work wherever they go once done.
>
>
>
> Occasionally for security reasons we use location data to track
> missing people. This is possible without auth to network data but it's
> better having that auth data. Same goes for identifying users acting
> inappropriately online. User ID to IP mapping is also fed into our firewall
> for web filtering exceptions (including group and personal)
>
>
>
> Originally we went with Cloudpath to help users get configured easier
> which worked well (though this is less of requirement with auto-configs now
> pretty good), as well as properly since auto-config on OS's doesn't get the
> certificate right (so it ensure proper config). Configuring eduroam at the
> same time for windows was problematic however with PEAP (can't remember
> other OS's). As it would only save 1 SSID User info properly, so the second
> SSID it wouldn't save user ID and users would get prompted and not add the @
> adelaide.edu.au .. TLS resolves that little windows issue.
>
>
>
> So for us one additional positive the EAP-TLS over PEAP but overall
> user-auth has its value.
>
>
>
>
>
>
>
> --
>
> Jason Cook
>
> Technology Services
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph    : +61 8 8313 4800
>
>
>
> -Original Message-
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
>
> Sent: Tuesday, 15 August 2017 2:59 AM
>
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> One interesting trade-off: if I have good AD credentials and pop up a
> new Mac or Windows machine without any

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

Couple of comments:



  *   eduroam – using your point of “…most users can access what they want 
off-campus…”, what long-term value is there to eduroam? IMHO – not at lot. Back 
in the day, this would facilitate quick access for a visiting educator who may 
be collaborating with someone locally and needing access to local resources. 
Today, in age of cloud-based collaboration platforms and access from anywhere, 
how important is eduroam over an open wifi network? With few exceptions, all 
the visitor needs is Internet access. eduroam doesn’t add value here, but does 
add complexity to manage.
  *   Location data – Yeah, this can have some value, but at least here, our 
emergency management moved to mobile-based applications that allow the user to 
opt-in to being tracked with the addition of panic-button-like services. I tend 
to shy away from using location-based services within WiFi where life-safety is 
involved. It can be a wonderful tool, until it doesn’t work that one-time 
management believes it should. In other words, finding a missing AV cart is 
different than a missing person.

Jeff



On 8/14/17, 7:23 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Jason Cook" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
jason.c...@adelaide.edu.au> wrote:



This is a good topic, we are slowly moving towards a preferred EAP-TLS from 
PEAP-MChapv2 but not current date to force and perhaps never. The points made 
about why do we bother at all though are pretty relevant, most users can access 
what they want off-campus from whatever network they want, and VPN for more 
restricted access. So a properly segmented internal network providing 
appropriate access would be fine. *PSK/ open networks are theoretically ok.



At this point we are still confident that dot1x based auth is still the 
best way to go for users accessing our wifi, though this discussion has 
certainly opened my eyes a lot.





There's a couple of other reasons though why dot1x (which ever method) does 
have advantages to us. This may not be relevant to all, and there maybe 
better/other ways.



eduroam will break down via other methods, so you'll still need to manage a 
dot1x service no matter what. Then you have still have calls to SD because the 
service is now different when you want to use it, requires special setup that's 
different to on-campus.We've had Cloudpath a while, originally for PEAP config 
and now TLS. We do roll with a main SSID so our onboarding will configure our 
network  UofA and eduroam and users will just work wherever they go once done.



Occasionally for security reasons we use location data to track missing 
people. This is possible without auth to network data but it's better having 
that auth data. Same goes for identifying users acting inappropriately online. 
User ID to IP mapping is also fed into our firewall for web filtering 
exceptions (including group and personal)



Originally we went with Cloudpath to help users get configured easier which 
worked well (though this is less of requirement with auto-configs now pretty 
good), as well as properly since auto-config on OS's doesn't get the 
certificate right (so it ensure proper config). Configuring eduroam at the same 
time for windows was problematic however with PEAP (can't remember other OS's). 
As it would only save 1 SSID User info properly, so the second SSID it wouldn't 
save user ID and users would get prompted and not add the @adelaide.edu.au .. 
TLS resolves that little windows issue.



So for us one additional positive the EAP-TLS over PEAP but overall 
user-auth has its value.







--

Jason Cook

Technology Services

The University of Adelaide, AUSTRALIA 5005

Ph: +61 8 8313 4800



-Original Message-

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman

Sent: Tuesday, 15 August 2017 2:59 AM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

    Subject: Re: [WIRELESS-LAN] EAP-TLS



One interesting trade-off: if I have good AD credentials and pop up a new 
Mac or Windows machine without any kind of onboarding in play, I will get on 
the network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm 
prompted to accept the server, but I'll get on. This is good and bad. I got on, 
but not the way that the Security and Network folks might have wanted me to get 
on- because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines 
that you don't control. That's arguably bad.



But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.



With TLS- you get properly onboarded, or you're sucking wind until you do. 
But 

RE: [WIRELESS-LAN] EAP-TLS

[Jason Cook]

This is a good topic, we are slowly moving towards a preferred EAP-TLS from 
PEAP-MChapv2 but not current date to force and perhaps never. The points made 
about why do we bother at all though are pretty relevant, most users can access 
what they want off-campus from whatever network they want, and VPN for more 
restricted access. So a properly segmented internal network providing 
appropriate access would be fine. *PSK/ open networks are theoretically ok.

At this point we are still confident that dot1x based auth is still the best 
way to go for users accessing our wifi, though this discussion has certainly 
opened my eyes a lot.


There's a couple of other reasons though why dot1x (which ever method) does 
have advantages to us. This may not be relevant to all, and there maybe 
better/other ways.

eduroam will break down via other methods, so you'll still need to manage a 
dot1x service no matter what. Then you have still have calls to SD because the 
service is now different when you want to use it, requires special setup that's 
different to on-campus.We've had Cloudpath a while, originally for PEAP config 
and now TLS. We do roll with a main SSID so our onboarding will configure our 
network  UofA and eduroam and users will just work wherever they go once done.

Occasionally for security reasons we use location data to track missing people. 
This is possible without auth to network data but it's better having that auth 
data. Same goes for identifying users acting inappropriately online. User ID to 
IP mapping is also fed into our firewall for web filtering exceptions 
(including group and personal)

Originally we went with Cloudpath to help users get configured easier which 
worked well (though this is less of requirement with auto-configs now pretty 
good), as well as properly since auto-config on OS's doesn't get the 
certificate right (so it ensure proper config). Configuring eduroam at the same 
time for windows was problematic however with PEAP (can't remember other OS's). 
As it would only save 1 SSID User info properly, so the second SSID it wouldn't 
save user ID and users would get prompted and not add the @adelaide.edu.au .. 
TLS resolves that little windows issue.

So for us one additional positive the EAP-TLS over PEAP but overall user-auth 
has its value.



--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, 15 August 2017 2:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

One interesting trade-off: if I have good AD credentials and pop up a new Mac 
or Windows machine without any kind of onboarding in play, I will get on the 
network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted 
to accept the server, but I'll get on. This is good and bad. I got on, but not 
the way that the Security and Network folks might have wanted me to get on- 
because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that 
you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. But 
once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls.

None of this negates TLS' value, but at the same time you have to go into it 
with your eyes open to the perspective of the BYOD crowd on campus versus what 
they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200) Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu SYRACUSE 
UNIVERSITY syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute

Re: [WIRELESS-LAN] EAP-TLS

[Curtis K. Larsen]

I'm not sure the two have to be mutually exclusive.  You could let people 
connect initially with PEAP and then re-direct them to complete the TLS 
onboarding process.  Obviously they could still lose their password but it 
would be exposed for a shorter time period and they'd likely not have to 
re-provision for a year or two.  I guess you could also do this with iPSK,PPSK, 
DPSK and not expose the password at all.

Thanks,

--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Lee H Badman 
<lhbad...@syr.edu>
Sent: Monday, August 14, 2017 11:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

One interesting trade-off: if I have good AD credentials and pop up a new Mac 
or Windows machine without any kind of onboarding in play, I will get on the 
network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted 
to accept the server, but I'll get on. This is good and bad. I got on, but not 
the way that the Security and Network folks might have wanted me to get on- 
because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that 
you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. But 
once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls.

None of this negates TLS' value, but at the same time you have to go into it 
with your eyes open to the perspective of the BYOD crowd on campus versus what 
they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts.


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to "does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below"? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven't seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

Exactly Lee,

TLS requires a change in user behavior, and a change they are unlikely to 
experience in any other setting. It sets up really interesting customer support 
issues when, for example, one’s President/Provost, etc. has a guest show up 
after-hours and they have no comprehension of a WiFi experience past the one at 
home or Starbucks. 

I’ll add that with the drive toward SaaS and applications now living in the 
cloud and accessible from anywhere, the whole concept of onboarding is another 
of those “why do we make it so difficult in EDU” questions.  Let everyone join, 
don’t use the network as a determining factor for access, and focus the 
time/money into items that advance/enhance the academic mission.

Jeff 



On 8/14/17, 10:29 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of 
lhbad...@syr.edu> wrote:

One interesting trade-off: if I have good AD credentials and pop up a new 
Mac or Windows machine without any kind of onboarding in play, I will get on 
the network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm 
prompted to accept the server, but I'll get on. This is good and bad. I got on, 
but not the way that the Security and Network folks might have wanted me to get 
on- because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines 
that you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. 
But once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls. 

None of this negates TLS' value, but at the same time you have to go into 
it with your eyes open to the perspective of the BYOD crowd on campus versus 
what they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect 

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts. 


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
    Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to "does anyone have any other 
reasons to switch to eap-tls besides the ones I list below"? I am trying to 
build a case for switching and want to gather all the benefits.

  One other benefit that I haven't seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does 
not affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM

RE: [WIRELESS-LAN] EAP-TLS

[Lee H Badman]

One interesting trade-off: if I have good AD credentials and pop up a new Mac 
or Windows machine without any kind of onboarding in play, I will get on the 
network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted 
to accept the server, but I'll get on. This is good and bad. I got on, but not 
the way that the Security and Network folks might have wanted me to get on- 
because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that 
you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. But 
once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls. 

None of this negates TLS' value, but at the same time you have to go into it 
with your eyes open to the perspective of the BYOD crowd on campus versus what 
they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect 

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts. 


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to "does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below"? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven't seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and benefits.
>
>
>
> We have been a eap-peap shop for years and I have always been told that 
> eap-tls (cert based authentication) is more secure and you should do that.  I 
> never had the time to deal with it and putting up a cert based infrastructure 
> just seemed daunting.   I finally have some time and have started to play 
> with it.  We are an Aruba shop and the clearpass Onboard system seems pretty 
> simple to implement and get EAP-TLS working.
>
>
>
> Now to the why.   It seems that the ability to separate username/password 
> from network authentication has some benefits.   If a user changes his 
> username/password it no longer affects his network connectivity.  If we want 
> to blacklist a device it will be easy as each device will have it

Re: [WIRELESS-LAN] EAP-TLS

[Curtis K. Larsen]

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts. 


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Curtis, Bruce 
<bruce.cur...@ndsu.edu>
Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry <j...@buffalo.edu> wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to “does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below”? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven’t seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and benefits.
>
>
>
> We have been a eap-peap shop for years and I have always been told that 
> eap-tls (cert based authentication) is more secure and you should do that.  I 
> never had the time to deal with it and putting up a cert based infrastructure 
> just seemed daunting.   I finally have some time and have started to play 
> with it.  We are an Aruba shop and the clearpass Onboard system seems pretty 
> simple to implement and get EAP-TLS working.
>
>
>
> Now to the why.   It seems that the ability to separate username/password 
> from network authentication has some benefits.   If a user changes his 
> username/password it no longer affects his network connectivity.  If we want 
> to blacklist a device it will be easy as each device will have its own cert. 
> So we can blacklist one device and let the rest still on.  We could do those 
> things today but it is just a little harder to do with eap-peap.   We can 
> also get users out of storing their usernames and passwords, because everyone 
> does it with eap-peap. The thought process went, if you are going to run an 
> on-board process anyway, why not onboard with eap-tls.  On the wireless side 
> that is really all I have.  I have always been told it is more secure so have 
> always thought I should try and get there.
>
>
>
> Now, we are also moving to wired authentication on every port.   We are 
> supporting both mac auth and 802.1x (eap-peap).  We did this to get the 
> project moving and get all ports to some type of authentication.  Now 802.1x 
> on the wired side is just plain difficult.  Nothing except macs are setup for 
> it out of the box.   You need admin rights on the machine to set it up (which 
> many people on the wired side don’t have) and you almost have to run through 
> some type of onboard process to do it in mass.   You have to deal with stuff 
> like network logons and mounting drives before authentication. We also don’t 
> want the users storing usernames and password and everyone will because no 
> one wants to type it in every time.   I am back to the if you are going to 
> run through an onboard process anyway, will certs make it a little easier.   
> It gives you the username/password separation.   The ability to revoke per 
> device, and once onboarded, never have to be bothered again (until the cert 
> expires).
>
>
>
> I am not really concerned about peap being deprecated, it will be around 
> forever.   I am not really concerned about usernames and passwords being 
> stolen because of eap-peap, there are so many easier ways to do that.  It 
> guess it is really the username/password separation and the “thought” that it 
> is the most secure method.
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
> Sent: Thursday, August 10, 2

RE: [WIRELESS-LAN] EAP-TLS

[Lee H Badman]

Well said, Jeff. We (as probably a lot of other schools as well) struggle with 
security versus ease of use/overhead, and one question that often gets 
forgotten about is: what are we really gaining here- like really? The answer 
will vary across schools, but it’s an important question.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, August 11, 2017 10:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

I would do a cost/benefit/risk assessment. IMHO, some of the claimed benefits 
to EAP-TLS over EAP-PEAP may not hold up under objective analysis especially 
when you factor in the added cost to implement/maintain vs the actual risk (or 
perceived benefit).

Just off the top of my head:
Use of credentials vs certificate per device.
· How often have a user’s credentials been harvested because they are 
stored for WiFi access?
· How often do you disable a single device vs disabling all devices?
· With credentials, there is but one tick to disable everything vs 
having to manage/disable all certificate-based devices for an individual. How 
much staff time is involved in managing each?
· What’s the cost for the EAP-TLS management platform per year? Is it 
justified i.e. does it enhance the academic mission in any significant way or 
just give IT another tool to manage? What is the impact to the end-users i.e. 
are they happier on EAP-TLS or consider it an annoyance?
· Have you observed in-the-wild exploits of your EAP-PEAP 
implementation that would justify the move to EAP-TLS? What’s the cost of 
mitigation vs falling back on your cyber liability insurance?
· If you are really worried about the link of account credentials (keys 
to castle) and WiFi admission, why not issue two accounts to users? One that 
only works for WiFi and another for everything else.

We’re a EAP-PEAP shop (for now), and I’m focusing/leaning toward the PPSK-type 
solutions. User’s want the Starbucks experience and I’m confounded as to why we 
(EDU) (myself included) are hell-bent on making it so difficult, and/or, 
insisting on maximum security/safety for the small percentage of time these 
devices are connected to our networks.

Jeff




From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Bucklaew, Jerry" <j...@buffalo.edu<mailto:j...@buffalo.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, August 11, 2017 at 5:45 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] EAP-TLS

To ALL:


   I am going to amend my initial request to “does anyone have any other 
reasons to switch to eap-tls besides the ones I list below”? I am trying to 
build a case for switching and want to gather all the benefits.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little ha

Re: [WIRELESS-LAN] EAP-TLS

[Jeffrey D. Sessler]

I would do a cost/benefit/risk assessment. IMHO, some of the claimed benefits 
to EAP-TLS over EAP-PEAP may not hold up under objective analysis especially 
when you factor in the added cost to implement/maintain vs the actual risk (or 
perceived benefit).

Just off the top of my head:
Use of credentials vs certificate per device.

  *   How often have a user’s credentials been harvested because they are 
stored for WiFi access?
  *   How often do you disable a single device vs disabling all devices?
  *   With credentials, there is but one tick to disable everything vs having 
to manage/disable all certificate-based devices for an individual. How much 
staff time is involved in managing each?
  *   What’s the cost for the EAP-TLS management platform per year? Is it 
justified i.e. does it enhance the academic mission in any significant way or 
just give IT another tool to manage? What is the impact to the end-users i.e. 
are they happier on EAP-TLS or consider it an annoyance?
  *   Have you observed in-the-wild exploits of your EAP-PEAP implementation 
that would justify the move to EAP-TLS? What’s the cost of mitigation vs 
falling back on your cyber liability insurance?
  *   If you are really worried about the link of account credentials (keys to 
castle) and WiFi admission, why not issue two accounts to users? One that only 
works for WiFi and another for everything else.

We’re a EAP-PEAP shop (for now), and I’m focusing/leaning toward the PPSK-type 
solutions. User’s want the Starbucks experience and I’m confounded as to why we 
(EDU) (myself included) are hell-bent on making it so difficult, and/or, 
insisting on maximum security/safety for the small percentage of time these 
devices are connected to our networks.

Jeff




From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "Bucklaew, Jerry" <j...@buffalo.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 11, 2017 at 5:45 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

To ALL:


   I am going to amend my initial request to “does anyone have any other 
reasons to switch to eap-tls besides the ones I list below”? I am trying to 
build a case for switching and want to gather all the benefits.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don’t have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don’t want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onbo

RE: [WIRELESS-LAN] EAP-TLS

[Chuck Enfield]

Sorry if somebody already replied with those.  I haven't been following
the thread, but when Bruce and Lee both make approving comments in
response to a post I take notice.

 

From: Chuck Enfield [mailto:chu...@psu.edu] 
Sent: Friday, August 11, 2017 8:52 AM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: [WIRELESS-LAN] EAP-TLS

 

For certain types of devices (lab and loaner laptops, for example) there
is support value in having network connectivity without the need for a
user to log on.

 

EAP-TLS is the only enterprise auth method supported for some IoT devices.
We have quite a few door locks in this category.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Friday, August 11, 2017 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

To ALL:

 

 

   I am going to amend my initial request to "does anyone have any other
reasons to switch to eap-tls besides the ones I list below"? I am trying
to build a case for switching and want to gather all the benefits.

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

Lee, 

 

   I want to state first that I am not, by any means, an expert on all of
the authentication standards and protocols.  I was hoping someone would
have a document that would help better articulate the goals and benefits. 

 

We have been a eap-peap shop for years and I have always been told that
eap-tls (cert based authentication) is more secure and you should do that.
I never had the time to deal with it and putting up a cert based
infrastructure just seemed daunting.   I finally have some time and have
started to play with it.  We are an Aruba shop and the clearpass Onboard
system seems pretty simple to implement and get EAP-TLS working.

 

Now to the why.   It seems that the ability to separate username/password
from network authentication has some benefits.   If a user changes his
username/password it no longer affects his network connectivity.  If we
want to blacklist a device it will be easy as each device will have its
own cert. So we can blacklist one device and let the rest still on.  We
could do those things today but it is just a little harder to do with
eap-peap.   We can also get users out of storing their usernames and
passwords, because everyone does it with eap-peap. The thought process
went, if you are going to run an on-board process anyway, why not onboard
with eap-tls.  On the wireless side that is really all I have.  I have
always been told it is more secure so have always thought I should try and
get there.

 

Now, we are also moving to wired authentication on every port.   We are
supporting both mac auth and 802.1x (eap-peap).  We did this to get the
project moving and get all ports to some type of authentication.  Now
802.1x on the wired side is just plain difficult.  Nothing except macs are
setup for it out of the box.   You need admin rights on the machine to set
it up (which many people on the wired side don't have) and you almost have
to run through some type of onboard process to do it in mass.   You have
to deal with stuff like network logons and mounting drives before
authentication. We also don't want the users storing usernames and
password and everyone will because no one wants to type it in every time.
I am back to the if you are going to run through an onboard process
anyway, will certs make it a little easier.   It gives you the
username/password separation.   The ability to revoke per device, and once
onboarded, never have to be bothered again (until the cert expires).

 

I am not really concerned about peap being deprecated, it will be around
forever.   I am not really concerned about usernames and passwords being
stolen because of eap-peap, there are so many easier ways to do that.  It
guess it is really the username/password separation and the "thought" that
it is the most secure method. 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better".
Concern for PEAP being deprecated, etc?

Lee

-Original Message- 
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIREL

RE: [WIRELESS-LAN] EAP-TLS

[Chuck Enfield]

For certain types of devices (lab and loaner laptops, for example) there
is support value in having network connectivity without the need for a
user to log on.

 

EAP-TLS is the only enterprise auth method supported for some IoT devices.
We have quite a few door locks in this category.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Friday, August 11, 2017 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

To ALL:

 

 

   I am going to amend my initial request to "does anyone have any other
reasons to switch to eap-tls besides the ones I list below"? I am trying
to build a case for switching and want to gather all the benefits.

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

Lee, 

 

   I want to state first that I am not, by any means, an expert on all of
the authentication standards and protocols.  I was hoping someone would
have a document that would help better articulate the goals and benefits. 

 

We have been a eap-peap shop for years and I have always been told that
eap-tls (cert based authentication) is more secure and you should do that.
I never had the time to deal with it and putting up a cert based
infrastructure just seemed daunting.   I finally have some time and have
started to play with it.  We are an Aruba shop and the clearpass Onboard
system seems pretty simple to implement and get EAP-TLS working.

 

Now to the why.   It seems that the ability to separate username/password
from network authentication has some benefits.   If a user changes his
username/password it no longer affects his network connectivity.  If we
want to blacklist a device it will be easy as each device will have its
own cert. So we can blacklist one device and let the rest still on.  We
could do those things today but it is just a little harder to do with
eap-peap.   We can also get users out of storing their usernames and
passwords, because everyone does it with eap-peap. The thought process
went, if you are going to run an on-board process anyway, why not onboard
with eap-tls.  On the wireless side that is really all I have.  I have
always been told it is more secure so have always thought I should try and
get there.

 

Now, we are also moving to wired authentication on every port.   We are
supporting both mac auth and 802.1x (eap-peap).  We did this to get the
project moving and get all ports to some type of authentication.  Now
802.1x on the wired side is just plain difficult.  Nothing except macs are
setup for it out of the box.   You need admin rights on the machine to set
it up (which many people on the wired side don't have) and you almost have
to run through some type of onboard process to do it in mass.   You have
to deal with stuff like network logons and mounting drives before
authentication. We also don't want the users storing usernames and
password and everyone will because no one wants to type it in every time.
I am back to the if you are going to run through an onboard process
anyway, will certs make it a little easier.   It gives you the
username/password separation.   The ability to revoke per device, and once
onboarded, never have to be bothered again (until the cert expires).

 

I am not really concerned about peap being deprecated, it will be around
forever.   I am not really concerned about usernames and passwords being
stolen because of eap-peap, there are so many easier ways to do that.  It
guess it is really the username/password separation and the "thought" that
it is the most secure method. 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] EAP-TLS

 

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better".
Concern for PEAP being deprecated, etc?

Lee

-Original Message- 
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] EAP-TLS

To ALL:

 

 

  We currently do mac auth and EAP-PEAP authentication on our wireless
network.  I am trying to put together a proposal to move to cert based
authentication and I was wondering if anyone has a proposal or
justification already written as to why you should move to cert based
auth?  Just trying to save myself some typing.

** Participation and subscription

RE: [WIRELESS-LAN] EAP-TLS

[Bucklaew, Jerry]

To ALL:


   I am going to amend my initial request to "does anyone have any other 
reasons to switch to eap-tls besides the ones I list below"? I am trying to 
build a case for switching and want to gather all the benefits.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don't have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don't want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onboard process anyway, will certs make it a little easier.   It gives you the 
username/password separation.   The ability to revoke per device, and once 
onboarded, never have to be bothered again (until the cert expires).

I am not really concerned about peap being deprecated, it will be around 
forever.   I am not really concerned about usernames and passwords being stolen 
because of eap-peap, there are so many easier ways to do that.  It guess it is 
really the username/password separation and the "thought" that it is the most 
secure method.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better". Concern 
for PEAP being deprecated, etc?

Lee

-Original Message-
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] EAP-TLS
To ALL:


  We currently do mac auth and EAP-PEAP authentication on our wireless network. 
 I am trying to put together a proposal to move to cert based authentication 
and I was wondering if anyone has a proposal or justification already written 
as to why you should move to cert based auth?  Just trying to save myself some 
typing.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list 

RE: [WIRELESS-LAN] EAP-TLS

[Lee H Badman]

Great input, thanks!

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don't have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don't want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onboard process anyway, will certs make it a little easier.   It gives you the 
username/password separation.   The ability to revoke per device, and once 
onboarded, never have to be bothered again (until the cert expires).

I am not really concerned about peap being deprecated, it will be around 
forever.   I am not really concerned about usernames and passwords being stolen 
because of eap-peap, there are so many easier ways to do that.  It guess it is 
really the username/password separation and the "thought" that it is the most 
secure method.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-TLS

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better". Concern 
for PEAP being deprecated, etc?

Lee

-Original Message-
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] EAP-TLS
To ALL:


  We currently do mac auth and EAP-PEAP authentication on our wireless network. 
 I am trying to put together a proposal to move to cert based authentication 
and I was wondering if anyone has a proposal or justification already written 
as to why you should move to cert based auth?  Just trying to save myself some 
typing.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group

RE: [WIRELESS-LAN] EAP-TLS

[Bucklaew, Jerry]

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don't have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don't want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onboard process anyway, will certs make it a little easier.   It gives you the 
username/password separation.   The ability to revoke per device, and once 
onboarded, never have to be bothered again (until the cert expires).

I am not really concerned about peap being deprecated, it will be around 
forever.   I am not really concerned about usernames and passwords being stolen 
because of eap-peap, there are so many easier ways to do that.  It guess it is 
really the username/password separation and the "thought" that it is the most 
secure method.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better". Concern 
for PEAP being deprecated, etc?

Lee

-Original Message-
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] EAP-TLS
To ALL:


  We currently do mac auth and EAP-PEAP authentication on our wireless network. 
 I am trying to put together a proposal to move to cert based authentication 
and I was wondering if anyone has a proposal or justification already written 
as to why you should move to cert based auth?  Just trying to save myself some 
typing.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS

[Sweetser, Frank E]

The folks at Cloudpath (pre Ruckus/Brocade/Broadcom/Arris) did some good tech 
field day videos where they talk about why they like to push TLS over PEAP:


http://techfieldday.com/companies/cloudpath-networks/


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bucklaew, Jerry 
<j...@buffalo.edu>
Sent: Thursday, August 10, 2017 2:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS


To ALL:





  We currently do mac auth and EAP-PEAP authentication on our wireless network. 
 I am trying to put together a proposal to move to cert based authentication 
and I was wondering if anyone has a proposal or justification already written 
as to why you should move to cert based auth?  Just trying to save myself some 
typing.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] EAP-TLS

[Bucklaew, Jerry]

To ALL:


  We currently do mac auth and EAP-PEAP authentication on our wireless network. 
 I am trying to put together a proposal to move to cert based authentication 
and I was wondering if anyone has a proposal or justification already written 
as to why you should move to cert based auth?  Just trying to save myself some 
typing.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Kevin McCormick]

This was the exact problem.

We unrevoked the Radius certificate, but Windows 8/8.1/10 devices we 
were testing with still were failing.


We then replaced the Radius certificate and Windows 8/8.1/10 devices we 
were testing with began to work.


I suspect those devices were caching that the cert was revoked and not 
rechecking, although I thought I cleared all those caches out.


Thanks for the help Tobias.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 12:18 PM, Heaton, Tobias wrote:

Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration and 
Windows devices were silently failing. I eventually found and unrevoked the Radius 
certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10
appear to be saying that the radius server is reporting the certificates
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituen

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Kevin McCormick]

I think you got us on to something.

I checked the cert and got Leaf certificate is REVOKED (Reason=9).

Looks like this maybe the source of our issue.

Keep you informed.

Kevin McCormick
uTech Network Services
Western Illinois University



On 9/24/2015 12:18 PM, Heaton, Tobias wrote:

Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration and 
Windows devices were silently failing. I eventually found and unrevoked the Radius 
certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10
appear to be saying that the radius server is reporting the certificates
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Heaton, Tobias]

Kevin,

We recently encountered a similar situation where Windows 8/8.1/10 devices were 
onboarding fine and some days later failing to authenticate and unable to 
re-onboard.

Turns out the Radius certificate (also self-signed root & intermediate) was 
revoked and there was no clear indication of this in the Radius configuration 
and Windows devices were silently failing. I eventually found and unrevoked the 
Radius certificate and the devices associated with no issue.

Apparently Windows 8+ devices are much more particular about revocation status 
versus other operating systems that simply ensure valid certificate dates. 
Cloudpath did add a feature request to add revocation status to the Radius 
configuration pane in the Enrollment System.

Tobias Heaton
Network Operations
University of New Hampshire


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and 
Androids does not seem to have any issues.

The radius server is issuing the certificates and the Windows 8 and 10 
appear to be saying that the radius server is reporting the certificates 
revoked.

We can export the certs from the Windows 8 or 10 machine, and then check 
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify 
cert_name.cer' and the radius server is reporting the certs are fine.

We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:
> Let me see if I can clear things up...
>
> Your clients were successfully onboarded, and when the clients connect, they 
> are reporting that the radius server certificates being sent are revoked?  Or 
> are you saying that your clients are reporting that the radius servers are 
> saying the client certificates are revoked?
>
> If I read the error, it would indicate to me that your clients are having 
> issues with the radius server certificates.  Who issued the certs?
>
> Ryan H Turner
> Senior Network Engineer
> The University of North Carolina at Chapel Hill
> CB 1150 Chapel Hill, NC 27599
> +1 919 445 0113 Office
> +1 919 274 7926 Mobile
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
> Sent: Thursday, September 24, 2015 12:00 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems
>
> I know many of you are using EAP-TLS and CloudPath on boarding.
>
> We have ran in to an issue where some Windows 8 and 10 machines will say the 
> server said the certificates are revoked, but they are not revoked.
> We have checked the things like time being correct. We did discover the 
> command 'certutil -f -urlfetch -verify cert_name.cer' will work just fine on 
> Windows 7, but crashes on Windows 8 and Windows 10. The event viewer is 
> showing these errors.
>
> "The certificate received from the remote server has been revoked. This means 
> that the certificate authority that issued the certificate has invalidated 
> it. The SSL connection request has failed. The attached data contains the 
> server certificate."  -- Attached is the root CA.
>
> "A fatal alert was generated and sent to the remote endpoint. This may result 
> in termination of the connection. The TLS protocol defined fatal error code 
> is 44. The Windows SChannel error state is 552."
>
> I have tried googling the problem and and have come up empty.
>
> CouldPath has told our security admin that our university seems to be the 
> only one having this issue.
>
> Makes me wonder if our certs are being generated with incorrect settings for 
> Windows 8 and Windows 10.
>
> What algorithm and key length are you using?
>
> Any suggestions?
>
> Kevin McCormick
> uTech Network Services
> Western Illinois University
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Turner, Ryan H]

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked? 

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. 
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated it. 
The SSL connection request has failed. The attached data contains the server 
certificate."  -- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code is 
44. The Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Turner, Ryan H]

BTW...  I am only trying to clear this up, because as I read this, it would 
have nothing to do with your client certificates, and everything to do with the 
server certificate being offered by your authentication server (freeRadius/etc) 
to the client.  It is possible that there is a problem with the authentication 
server certificate, and certain clients/operating systems are more sensitive to 
this than others.

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Thursday, September 24, 2015 12:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked? 

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. 
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated it. 
The SSL connection request has failed. The attached data contains the server 
certificate."  -- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code is 
44. The Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Craig Pluchinsky]

We found a bug with the CloudPath onboarding and microsoft cert checking. 
We are using Microsoft NPS for the RADIUS server and it would randomly 
start saying that the certificate had been revoked.  Cloudpath released an 
update for fix this issue.  Upgrading the Enrollment Server fixed this for 
us.



---
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327


On Thu, 24 Sep 2015, Kevin McCormick wrote:


I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked. We have 
checked the things like time being correct. We did discover the command 
'certutil -f –urlfetch -verify cert_name.cer' will work just fine on Windows 
7, but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.


"The certificate received from the remote server has been revoked. This means 
that the certificate authority that issued the certificate has invalidated 
it. The SSL connection request has failed. The attached data contains the 
server certificate."  -- Attached is the root CA.


"A fatal alert was generated and sent to the remote endpoint. This may result 
in termination of the connection. The TLS protocol defined fatal error code 
is 44. The Windows SChannel error state is 552."


I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the 
only one having this issue.


Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.


What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

[Kevin McCormick]

Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and 
Androids does not seem to have any issues.


The radius server is issuing the certificates and the Windows 8 and 10 
appear to be saying that the radius server is reporting the certificates 
revoked.


We can export the certs from the Windows 8 or 10 machine, and then check 
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify 
cert_name.cer' and the radius server is reporting the certs are fine.


We use our own Root CA and Intermediate CA.

Kevin McCormick
uTech Network Services
Western Illinois University

On 9/24/2015 11:55 AM, Turner, Ryan H wrote:

Let me see if I can clear things up...

Your clients were successfully onboarded, and when the clients connect, they 
are reporting that the radius server certificates being sent are revoked?  Or 
are you saying that your clients are reporting that the radius servers are 
saying the client certificates are revoked?

If I read the error, it would indicate to me that your clients are having 
issues with the radius server certificates.  Who issued the certs?

Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems

I know many of you are using EAP-TLS and CloudPath on boarding.

We have ran in to an issue where some Windows 8 and 10 machines will say the 
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command 
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7, 
but crashes on Windows 8 and Windows 10. The event viewer is showing these 
errors.

"The certificate received from the remote server has been revoked. This means that 
the certificate authority that issued the certificate has invalidated it. The SSL 
connection request has failed. The attached data contains the server certificate."  
-- Attached is the root CA.

"A fatal alert was generated and sent to the remote endpoint. This may result in 
termination of the connection. The TLS protocol defined fatal error code is 44. The 
Windows SChannel error state is 552."

I have tried googling the problem and and have come up empty.

CouldPath has told our security admin that our university seems to be the only 
one having this issue.

Makes me wonder if our certs are being generated with incorrect settings for 
Windows 8 and Windows 10.

What algorithm and key length are you using?

Any suggestions?

Kevin McCormick
uTech Network Services
Western Illinois University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.