subject:"RE\: \[WIRELESS\-LAN\] wild card certs and PEAP"

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Cappalli, Tim (Aruba)

You’re right. I should have clarified and said a SAN/multi-domain certificate.



Nearly all certs now come with the CN as a SAN.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Monday, February 6, 2017 14:19
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP



Are you sure you have no SAN? In my experience, it is almost impossible to get 
a cert issued by one of the big issuers that has zero SANs. If you request a 
single domain cert, you get a cert with one SAN, which is the same as the 
domain you requested. (There is also, of course, a CN containing that domain.) 
To see an example of this, you can look at https://sso.uah.edu/ - we have a 
single-domain cert here, and then one SAN that is the same as the CN: 
http://i.imgur.com/2d2CqUu.png



During our testing we discovered that some Windows platforms required this SAN 
to be there, but we had somehow gotten a cert issued without that SAN present, 
and this was not acceptable. (I wish I remembered which Windows version.)



I think this is only likely to trip people up if they ask for a cert with CN 
"domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one 
with that implicit "domain0" SAN, and that's what Windows balked at. But of 
course that doesn't affect people who are requesting single-domain certs.



On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:

   We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.

   I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.





   Bruce Osborne

   Senior Network Engineer

   Network Operations - Wireless



(434) 592-4229



   LIBERTY UNIVERSITY

   Training Champions for Christ since 1971



   From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com<mailto:t...@hpe.com>]
   Sent: Friday, February 3, 2017 4:46 PM
   Subject: Re: wild card certs and PEAP



   For an EAP server certficiate, you do not need SANs for every server. You 
can do something generic like 
“network-login.domain.edu<http://network-login.domain.edu>” and put that cert 
on every box.



   The SANs will never be referenced and will just add significant cost.



   From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
   Sent: Friday, February 3, 2017 16:38
   To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
   Subject: Re: [WIRELESS-LAN] wild card certs and PEAP



   Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.



   On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:

  Our identity management group runs our Microsoft NPS servers and I recall 
them calling it a multi-domain certificate.  So 
NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, 
NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as 
NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your client from having to trust 
each NPS server.















  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman

  Sent: Friday, February 03, 2017 3:32 PM
  To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>


  Subject: [WIRELESS-LAN] wild card certs and PEAP



  I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.



  The easier question is – will a wildcard cert work here?

  The tougher question is – if yes, um .. any good references to configure 
it with S2012R2?



  -Brian





  ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

  ** Participation and subscription information for this EDUCAUSE 
Con

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Hunter Fuller

Are you sure you have no SAN? In my experience, it is almost impossible to
get a cert issued by one of the big issuers that has zero SANs. If you
request a single domain cert, you get a cert with one SAN, which is the
same as the domain you requested. (There is also, of course, a CN
containing that domain.) To see an example of this, you can look at
https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN
that is the same as the CN: http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this
SAN to be there, but we had somehow gotten a cert issued without that SAN
present, and this was not acceptable. (I wish I remembered which Windows
version.)

I think this is only likely to trip people up if they ask for a cert with
CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not
provide one with that implicit "domain0" SAN, and that's what Windows
balked at. But of course that doesn't affect people who are requesting
single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) <
bosbo...@liberty.edu> wrote:

> We use SANs on our RADIUS certificate so we can use the same certificate
> for https on those servers.
>
> I agree with Tim, though. SANs are not needed and we have run our RADIUS
> certificate for several years on multiple servers without any SANs.
>
>
>
>
>
> *Bruce Osborne*
>
> *Senior Network Engineer*
>
> *Network Operations - Wireless*
>
>
>
>  *(434) 592-4229*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
> *Sent:* Friday, February 3, 2017 4:46 PM
> *Subject:* Re: wild card certs and PEAP
>
>
>
> For an EAP server certficiate, you do not need SANs for every server. You
> can do something generic like “network-login.domain.edu” and put that
> cert on every box.
>
>
>
> The SANs will never be referenced and will just add significant cost.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, February 3, 2017 16:38
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
>
>
>
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
>
> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --
>
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331 <(256)%20824-5331>
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group di

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Jake Snyder

To reiterate, SANs are not needed on some platforms.  Please consult your 
documentation.

Sent from my iPhone

> On Feb 6, 2017, at 6:00 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> We use SANs on our RADIUS certificate so we can use the same certificate for 
> https on those servers.
> I agree with Tim, though. SANs are not needed and we have run our RADIUS 
> certificate for several years on multiple servers without any SANs.
>  
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] 
> Sent: Friday, February 3, 2017 4:46 PM
> Subject: Re: wild card certs and PEAP
>  
> For an EAP server certficiate, you do not need SANs for every server. You can 
> do something generic like “network-login.domain.edu” and put that cert on 
> every box.
>  
> The SANs will never be referenced and will just add significant cost.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Friday, February 3, 2017 16:38
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP
>  
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, 
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. 
>  
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
> Our identity management group runs our Microsoft NPS servers and I recall 
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu, 
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This keeps 
> your client from having to trust each NPS server.
>  
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Friday, February 03, 2017 3:32 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> --
> 
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-06 Thread Brian Helman

Thanks everyone.  I was trying to avoid purchasing a cert for our test server, 
but it looks like I’ll have to do that.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Friday, February 03, 2017 4:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

There is a good blog by Aaron Woland on this.  If memory serves, wildcard in CN 
isn't feasible, but windows clients will tolerate a wildcard in the SAN field.

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

Likely it's still only practical when doing it via an internal CA. I don't 
think many public CAs will let you do SAN wildcards.

Sent from my iPhone

On Feb 3, 2017, at 1:51 PM, Frans Panken 
<frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote:
Hi Brian,
Wild card certificates should indeed be avoided as Windows clients cannot cope 
with them. This will occur on every RADIUS server and has nothing to do with 
NPS (or with eduroam).
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Brian Helman 
<bhel...@salemstate.edu<mailto:bhel...@salemstate.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, 3 February 2017 at 21:32
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Hunter Fuller

Oh, whoops! I'm sorry, I should've mentioned this. We got the SANs because,
due to the way our certs are issued, there is no additional cost. Then we
use it for the web interface on the servers also.
The eduroam.uah.edu value is used as you describe. Technically that's the
only one you need. But it has to be a CN as well as a SAN for windows to
like it.

On Fri, Feb 3, 2017 at 15:45 Cappalli, Tim (Aruba) <t...@hpe.com> wrote:

> For an EAP server certficiate, you do not need SANs for every server. You
> can do something generic like “network-login.domain.edu” and put that cert
> on every box.
>
>
>
> The SANs will never be referenced and will just add significant cost.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller
> *Sent:* Friday, February 3, 2017 16:38
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
>
>
>
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
>
> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --
>
>
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Cappalli, Tim (Aruba)

Resending without the signature. Sorry.



That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values 
are useless to a client.



Wildcard is never recommended for RADIUS in any circumstance. You can get a 
domain validated certificate for $19.99 a year.





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Friday, February 3, 2017 16:54
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP



Tim,

For Cisco ISE, it validates that the host name matches the CN or SAN.  So you 
can't always do that.



But you could do something like *.radius.univ.edu<http://radius.univ.edu> as a 
SAN and call them radius01.radius.univ.edu<http://radius01.radius.univ.edu> 
which would match.

Sent from my iPhone


On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) 
<t...@hpe.com<mailto:t...@hpe.com>> wrote:

   For an EAP server certficiate, you do not need SANs for every server. You 
can do something generic like “network-login.domain.edu” and put that cert on 
every box.



   The SANs will never be referenced and will just add significant cost.



   From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
   Sent: Friday, February 3, 2017 16:38
   To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
   Subject: Re: [WIRELESS-LAN] wild card certs and PEAP



   Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.



   On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:

  Our identity management group runs our Microsoft NPS servers and I recall 
them calling it a multi-domain certificate.  So 
NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, 
NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as 
NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your client from having to trust 
each NPS server.















  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman

  Sent: Friday, February 03, 2017 3:32 PM
  To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>


  Subject: [WIRELESS-LAN] wild card certs and PEAP



  I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.



  The easier question is – will a wildcard cert work here?

  The tougher question is – if yes, um .. any good references to configure 
it with S2012R2?



  -Brian





  ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

  ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   --


   --
   Hunter Fuller
   Network Engineer
   VBRH Annex B-1
   +1 256 824 5331

   Office of Information Technology
   The University of Alabama in Huntsville
   Systems and Infrastructure

   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Cappalli, Tim (Aruba)

That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values 
are useless to a client.

 

Wildcard is never recommended for RADIUS in any circumstance. You can get a 
domain validated certificate for $19.99 a year.

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Friday, February 3, 2017 16:54
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

 

Tim,

For Cisco ISE, it validates that the host name matches the CN or SAN.  So you 
can't always do that.

 

But you could do something like *.radius.univ.edu <http://radius.univ.edu>  as 
a SAN and call them radius01.radius.univ.edu <http://radius01.radius.univ.edu>  
which would match.  

Sent from my iPhone


On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com 
<mailto:t...@hpe.com> > wrote:

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like “network-login.domain.edu” and put that cert on every 
box.

 

The SANs will never be referenced and will just add significant cost.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

 

Yes. Ours is a cert with CN eduroam.uah.edu <http://eduroam.uah.edu>  and SANs 
eduroam.uah.edu <http://eduroam.uah.edu> , acs01.uah.edu <http://acs01.uah.edu> 
, acs02.uah.edu <http://acs02.uah.edu> , etc... All servers present the same 
cert. 

 

On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu 
<mailto:matk...@nd.edu> > wrote:

Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu <http://NPS1.nd.edu> , 
NPS2.nd.edu <http://NPS2.nd.edu> , NPS3.dn.edu <http://NPS3.dn.edu> …. and so 
on all present common name as NPS1.nd.edu <http://NPS1.nd.edu> .   This keeps 
your client from having to trust each NPS server.

 

 

 

 

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Brian Helman

Sent: Friday, February 03, 2017 3:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 


Subject: [WIRELESS-LAN] wild card certs and PEAP

 

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.  

 

The easier question is – will a wildcard cert work here?

The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

 

-Brian

 

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

-- 


--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



smime.p7s
Description: S/MIME cryptographic signature

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Jake Snyder

Tim,
For Cisco ISE, it validates that the host name matches the CN or SAN.  So you 
can't always do that.

But you could do something like *.radius.univ.edu as a SAN and call them 
radius01.radius.univ.edu which would match.  

Sent from my iPhone

> On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote:
> 
> For an EAP server certficiate, you do not need SANs for every server. You can 
> do something generic like “network-login.domain.edu” and put that cert on 
> every box.
>  
> The SANs will never be referenced and will just add significant cost.
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
> Sent: Friday, February 3, 2017 16:38
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP
>  
> Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, 
> acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. 
>  
> On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote:
> Our identity management group runs our Microsoft NPS servers and I recall 
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu, 
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This keeps 
> your client from having to trust each NPS server.
>  
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
> Sent: Friday, February 03, 2017 3:32 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> --
> 
> --
> Hunter Fuller
> Network Engineer
> VBRH Annex B-1
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Jake Snyder

There is a good blog by Aaron Woland on this.  If memory serves, wildcard in CN 
isn't feasible, but windows clients will tolerate a wildcard in the SAN field. 

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

Likely it's still only practical when doing it via an internal CA. I don't 
think many public CAs will let you do SAN wildcards.

Sent from my iPhone

> On Feb 3, 2017, at 1:51 PM, Frans Panken  wrote:
> 
> Hi Brian,
> Wild card certificates should indeed be avoided as Windows clients cannot 
> cope with them. This will occur on every RADIUS server and has nothing to do 
> with NPS (or with eduroam).
> -Frans
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  on behalf of Brian Helman 
> 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> Date: Friday, 3 February 2017 at 21:32
> To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
> Subject: [WIRELESS-LAN] wild card certs and PEAP
>  
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
> configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
> beg digicert for one, since I don’t think they have an option), but we tried 
> to use a wildcard cert that we usually use for testing of services.  It 
> generates/imports correctly and Android doesn’t appear to have an issue with 
> it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
> wireless network.  It looks like Android may be ignoring the validation or 
> generally fine with the wildcard. 
>  
> The easier question is – will a wildcard cert work here?
> The tougher question is – if yes, um .. any good references to configure it 
> with S2012R2?
>  
> -Brian
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Mike Atkins

We lost that battle long ago……  I think there was some a best practice
guide that won over our networking request.  In the ends the Identity group
got to what we wanted with a bit more cost.  The other one we lost was
responding with a fail for invalid username instead of no
response/timeout.  L  Would like to revisit that one.























*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Travis Schick
*Sent:* Friday, February 03, 2017 4:30 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP



Or just install the same server cert for radius requests on all radius
servers.   This is being served via EAP -  the client's supplicant can
never automatically verify the host it is coming from anyway

On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins <matk...@nd.edu> wrote:

Our identity management group runs our Microsoft NPS servers and I recall
them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
keeps your client from having to trust each NPS server.















*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman

*Sent:* Friday, February 03, 2017 3:32 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU


*Subject:* [WIRELESS-LAN] wild card certs and PEAP



I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
configurations in place to join eduroam.  Yes, I can get a temporary cert
(or beg digicert for one, since I don’t think they have an option), but we
tried to use a wildcard cert that we usually use for testing of services.
It generates/imports correctly and Android doesn’t appear to have an issue
with it, but Win7 and Win10 don’t care for it when we try to authenticate
to the wireless network.  It looks like Android may be ignoring the
validation or generally fine with the wildcard.



The easier question is – will a wildcard cert work here?

The tougher question is – if yes, um .. any good references to configure it
with S2012R2?



-Brian





** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Cappalli, Tim (Aruba)

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like “network-login.domain.edu” and put that cert on every 
box.



The SANs will never be referenced and will just add significant cost.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP



Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.



On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:

   Our identity management group runs our Microsoft NPS servers and I recall 
them calling it a multi-domain certificate.  So 
NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, 
NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as 
NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your client from having to trust 
each NPS server.















   From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman

   Sent: Friday, February 03, 2017 3:32 PM
   To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>


   Subject: [WIRELESS-LAN] wild card certs and PEAP



   I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.



   The easier question is – will a wildcard cert work here?

   The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?



   -Brian





   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

   --


   --
   Hunter Fuller
   Network Engineer
   VBRH Annex B-1
   +1 256 824 5331

   Office of Information Technology
   The University of Alabama in Huntsville
   Systems and Infrastructure

   ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Hunter Fuller

Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins  wrote:

> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Travis Schick

Or just install the same server cert for radius requests on all radius
servers.   This is being served via EAP -  the client's supplicant can
never automatically verify the host it is coming from anyway

On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins  wrote:

> Our identity management group runs our Microsoft NPS servers and I recall
> them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
> NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
> keeps your client from having to trust each NPS server.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
>
> *Sent:* Friday, February 03, 2017 3:32 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>
>
> *Subject:* [WIRELESS-LAN] wild card certs and PEAP
>
>
>
> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Mike Atkins

Our identity management group runs our Microsoft NPS servers and I recall
them calling it a multi-domain certificate.  So NPS1.nd.edu, NPS2.nd.edu,
NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu.   This
keeps your client from having to trust each NPS server.















*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman
*Sent:* Friday, February 03, 2017 3:32 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] wild card certs and PEAP



I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
configurations in place to join eduroam.  Yes, I can get a temporary cert
(or beg digicert for one, since I don’t think they have an option), but we
tried to use a wildcard cert that we usually use for testing of services.
It generates/imports correctly and Android doesn’t appear to have an issue
with it, but Win7 and Win10 don’t care for it when we try to authenticate
to the wireless network.  It looks like Android may be ignoring the
validation or generally fine with the wildcard.



The easier question is – will a wildcard cert work here?

The tougher question is – if yes, um .. any good references to configure it
with S2012R2?



-Brian





** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Hunter Fuller

We fought this for a while. A wild card will never work for Windows clients
as they require the common name to also be a service alt name. A wild card
won't meet this.

On Fri, Feb 3, 2017 at 14:32 Brian Helman  wrote:

> I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
> configurations in place to join eduroam.  Yes, I can get a temporary cert
> (or beg digicert for one, since I don’t think they have an option), but we
> tried to use a wildcard cert that we usually use for testing of services.
> It generates/imports correctly and Android doesn’t appear to have an issue
> with it, but Win7 and Win10 don’t care for it when we try to authenticate
> to the wireless network.  It looks like Android may be ignoring the
> validation or generally fine with the wildcard.
>
>
>
> The easier question is – will a wildcard cert work here?
>
> The tougher question is – if yes, um .. any good references to configure
> it with S2012R2?
>
>
>
> -Brian
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
> --

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

RE: [WIRELESS-LAN] wild card certs and PEAP

Re: [WIRELESS-LAN] wild card certs and PEAP

15 matches

Site Navigation

Mail list logo

Footer information