RE: [WIRELESS-LAN] wild card certs and PEAP
You’re right. I should have clarified and said a SAN/multi-domain certificate. Nearly all certs now come with the CN as a SAN. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Monday, February 6, 2017 14:19 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Are you sure you have no SAN? In my experience, it is almost impossible to get a cert issued by one of the big issuers that has zero SANs. If you request a single domain cert, you get a cert with one SAN, which is the same as the domain you requested. (There is also, of course, a CN containing that domain.) To see an example of this, you can look at https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN that is the same as the CN: http://i.imgur.com/2d2CqUu.png During our testing we discovered that some Windows platforms required this SAN to be there, but we had somehow gotten a cert issued without that SAN present, and this was not acceptable. (I wish I remembered which Windows version.) I think this is only likely to trip people up if they ask for a cert with CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one with that implicit "domain0" SAN, and that's what Windows balked at. But of course that doesn't affect people who are requesting single-domain certs. On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) <bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote: We use SANs on our RADIUS certificate so we can use the same certificate for https on those servers. I agree with Tim, though. SANs are not needed and we have run our RADIUS certificate for several years on multiple servers without any SANs. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com<mailto:t...@hpe.com>] Sent: Friday, February 3, 2017 4:46 PM Subject: Re: wild card certs and PEAP For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu<http://network-login.domain.edu>” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Friday, February 3, 2017 16:38 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu<mailto:matk...@nd.edu>> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as NPS1.nd.edu<http://NPS1.nd.edu>. This keeps your client from having to trust each NPS server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Brian Helman Sent: Friday, February 03, 2017 3:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Con
Re: [WIRELESS-LAN] wild card certs and PEAP
Are you sure you have no SAN? In my experience, it is almost impossible to get a cert issued by one of the big issuers that has zero SANs. If you request a single domain cert, you get a cert with one SAN, which is the same as the domain you requested. (There is also, of course, a CN containing that domain.) To see an example of this, you can look at https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN that is the same as the CN: http://i.imgur.com/2d2CqUu.png During our testing we discovered that some Windows platforms required this SAN to be there, but we had somehow gotten a cert issued without that SAN present, and this was not acceptable. (I wish I remembered which Windows version.) I think this is only likely to trip people up if they ask for a cert with CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one with that implicit "domain0" SAN, and that's what Windows balked at. But of course that doesn't affect people who are requesting single-domain certs. On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) < bosbo...@liberty.edu> wrote: > We use SANs on our RADIUS certificate so we can use the same certificate > for https on those servers. > > I agree with Tim, though. SANs are not needed and we have run our RADIUS > certificate for several years on multiple servers without any SANs. > > > > > > *Bruce Osborne* > > *Senior Network Engineer* > > *Network Operations - Wireless* > > > > *(434) 592-4229* > > > > *LIBERTY UNIVERSITY* > > *Training Champions for Christ since 1971* > > > > *From:* Cappalli, Tim (Aruba) [mailto:t...@hpe.com] > *Sent:* Friday, February 3, 2017 4:46 PM > *Subject:* Re: wild card certs and PEAP > > > > For an EAP server certficiate, you do not need SANs for every server. You > can do something generic like “network-login.domain.edu” and put that > cert on every box. > > > > The SANs will never be referenced and will just add significant cost. > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On Behalf Of *Hunter Fuller > *Sent:* Friday, February 3, 2017 16:38 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP > > > > Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, > acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. > > > > On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote: > > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This > keeps your client from having to trust each NPS server. > > > > > > > > > > > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman > > *Sent:* Friday, February 03, 2017 3:32 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > > *Subject:* [WIRELESS-LAN] wild card certs and PEAP > > > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert > (or beg digicert for one, since I don’t think they have an option), but we > tried to use a wildcard cert that we usually use for testing of services. > It generates/imports correctly and Android doesn’t appear to have an issue > with it, but Win7 and Win10 don’t care for it when we try to authenticate > to the wireless network. It looks like Android may be ignoring the > validation or generally fine with the wildcard. > > > > The easier question is – will a wildcard cert work here? > > The tougher question is – if yes, um .. any good references to configure > it with S2012R2? > > > > -Brian > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- > > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 <(256)%20824-5331> > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > ** Participation and subscription information for this EDUCAUSE > Constituent Group di
Re: [WIRELESS-LAN] wild card certs and PEAP
To reiterate, SANs are not needed on some platforms. Please consult your documentation. Sent from my iPhone > On Feb 6, 2017, at 6:00 AM, Osborne, Bruce W (Network Operations) > <bosbo...@liberty.edu> wrote: > > We use SANs on our RADIUS certificate so we can use the same certificate for > https on those servers. > I agree with Tim, though. SANs are not needed and we have run our RADIUS > certificate for several years on multiple servers without any SANs. > > > Bruce Osborne > Senior Network Engineer > Network Operations - Wireless > > (434) 592-4229 > > LIBERTY UNIVERSITY > Training Champions for Christ since 1971 > > From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com] > Sent: Friday, February 3, 2017 4:46 PM > Subject: Re: wild card certs and PEAP > > For an EAP server certficiate, you do not need SANs for every server. You can > do something generic like “network-login.domain.edu” and put that cert on > every box. > > The SANs will never be referenced and will just add significant cost. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller > Sent: Friday, February 3, 2017 16:38 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] wild card certs and PEAP > > Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, > acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. > > On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote: > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps > your client from having to trust each NPS server. > > > > > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman > Sent: Friday, February 03, 2017 3:32 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] wild card certs and PEAP > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert (or > beg digicert for one, since I don’t think they have an option), but we tried > to use a wildcard cert that we usually use for testing of services. It > generates/imports correctly and Android doesn’t appear to have an issue with > it, but Win7 and Win10 don’t care for it when we try to authenticate to the > wireless network. It looks like Android may be ignoring the validation or > generally fine with the wildcard. > > The easier question is – will a wildcard cert work here? > The tougher question is – if yes, um .. any good references to configure it > with S2012R2? > > -Brian > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > -- > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
Thanks everyone. I was trying to avoid purchasing a cert for our test server, but it looks like I’ll have to do that. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder Sent: Friday, February 03, 2017 4:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wild card certs and PEAP There is a good blog by Aaron Woland on this. If memory serves, wildcard in CN isn't feasible, but windows clients will tolerate a wildcard in the SAN field. http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html Likely it's still only practical when doing it via an internal CA. I don't think many public CAs will let you do SAN wildcards. Sent from my iPhone On Feb 3, 2017, at 1:51 PM, Frans Panken <frans.pan...@surfnet.nl<mailto:frans.pan...@surfnet.nl>> wrote: Hi Brian, Wild card certificates should indeed be avoided as Windows clients cannot cope with them. This will occur on every RADIUS server and has nothing to do with NPS (or with eduroam). -Frans From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Brian Helman <bhel...@salemstate.edu<mailto:bhel...@salemstate.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Friday, 3 February 2017 at 21:32 To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] wild card certs and PEAP
Oh, whoops! I'm sorry, I should've mentioned this. We got the SANs because, due to the way our certs are issued, there is no additional cost. Then we use it for the web interface on the servers also. The eduroam.uah.edu value is used as you describe. Technically that's the only one you need. But it has to be a CN as well as a SAN for windows to like it. On Fri, Feb 3, 2017 at 15:45 Cappalli, Tim (Aruba) <t...@hpe.com> wrote: > For an EAP server certficiate, you do not need SANs for every server. You > can do something generic like “network-login.domain.edu” and put that cert > on every box. > > > > The SANs will never be referenced and will just add significant cost. > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Hunter Fuller > *Sent:* Friday, February 3, 2017 16:38 > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP > > > > Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, > acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. > > > > On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote: > > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This > keeps your client from having to trust each NPS server. > > > > > > > > > > > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman > > *Sent:* Friday, February 03, 2017 3:32 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > > *Subject:* [WIRELESS-LAN] wild card certs and PEAP > > > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert > (or beg digicert for one, since I don’t think they have an option), but we > tried to use a wildcard cert that we usually use for testing of services. > It generates/imports correctly and Android doesn’t appear to have an issue > with it, but Win7 and Win10 don’t care for it when we try to authenticate > to the wireless network. It looks like Android may be ignoring the > validation or generally fine with the wildcard. > > > > The easier question is – will a wildcard cert work here? > > The tougher question is – if yes, um .. any good references to configure > it with S2012R2? > > > > -Brian > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- > > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
Resending without the signature. Sorry. That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values are useless to a client. Wildcard is never recommended for RADIUS in any circumstance. You can get a domain validated certificate for $19.99 a year. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder Sent: Friday, February 3, 2017 16:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Tim, For Cisco ISE, it validates that the host name matches the CN or SAN. So you can't always do that. But you could do something like *.radius.univ.edu<http://radius.univ.edu> as a SAN and call them radius01.radius.univ.edu<http://radius01.radius.univ.edu> which would match. Sent from my iPhone On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com<mailto:t...@hpe.com>> wrote: For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Friday, February 3, 2017 16:38 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu<mailto:matk...@nd.edu>> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as NPS1.nd.edu<http://NPS1.nd.edu>. This keeps your client from having to trust each NPS server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Brian Helman Sent: Friday, February 03, 2017 3:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values are useless to a client. Wildcard is never recommended for RADIUS in any circumstance. You can get a domain validated certificate for $19.99 a year. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder Sent: Friday, February 3, 2017 16:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Tim, For Cisco ISE, it validates that the host name matches the CN or SAN. So you can't always do that. But you could do something like *.radius.univ.edu <http://radius.univ.edu> as a SAN and call them radius01.radius.univ.edu <http://radius01.radius.univ.edu> which would match. Sent from my iPhone On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com <mailto:t...@hpe.com> > wrote: For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Friday, February 3, 2017 16:38 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Yes. Ours is a cert with CN eduroam.uah.edu <http://eduroam.uah.edu> and SANs eduroam.uah.edu <http://eduroam.uah.edu> , acs01.uah.edu <http://acs01.uah.edu> , acs02.uah.edu <http://acs02.uah.edu> , etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu <mailto:matk...@nd.edu> > wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu <http://NPS1.nd.edu> , NPS2.nd.edu <http://NPS2.nd.edu> , NPS3.dn.edu <http://NPS3.dn.edu> …. and so on all present common name as NPS1.nd.edu <http://NPS1.nd.edu> . This keeps your client from having to trust each NPS server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Brian Helman Sent: Friday, February 03, 2017 3:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] wild card certs and PEAP
Tim, For Cisco ISE, it validates that the host name matches the CN or SAN. So you can't always do that. But you could do something like *.radius.univ.edu as a SAN and call them radius01.radius.univ.edu which would match. Sent from my iPhone > On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote: > > For an EAP server certficiate, you do not need SANs for every server. You can > do something generic like “network-login.domain.edu” and put that cert on > every box. > > The SANs will never be referenced and will just add significant cost. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller > Sent: Friday, February 3, 2017 16:38 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] wild card certs and PEAP > > Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, > acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. > > On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote: > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps > your client from having to trust each NPS server. > > > > > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman > Sent: Friday, February 03, 2017 3:32 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] wild card certs and PEAP > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert (or > beg digicert for one, since I don’t think they have an option), but we tried > to use a wildcard cert that we usually use for testing of services. It > generates/imports correctly and Android doesn’t appear to have an issue with > it, but Win7 and Win10 don’t care for it when we try to authenticate to the > wireless network. It looks like Android may be ignoring the validation or > generally fine with the wildcard. > > The easier question is – will a wildcard cert work here? > The tougher question is – if yes, um .. any good references to configure it > with S2012R2? > > -Brian > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > -- > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] wild card certs and PEAP
There is a good blog by Aaron Woland on this. If memory serves, wildcard in CN isn't feasible, but windows clients will tolerate a wildcard in the SAN field. http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html Likely it's still only practical when doing it via an internal CA. I don't think many public CAs will let you do SAN wildcards. Sent from my iPhone > On Feb 3, 2017, at 1:51 PM, Frans Pankenwrote: > > Hi Brian, > Wild card certificates should indeed be avoided as Windows clients cannot > cope with them. This will occur on every RADIUS server and has nothing to do > with NPS (or with eduroam). > -Frans > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Brian Helman > > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > > Date: Friday, 3 February 2017 at 21:32 > To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" > Subject: [WIRELESS-LAN] wild card certs and PEAP > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert (or > beg digicert for one, since I don’t think they have an option), but we tried > to use a wildcard cert that we usually use for testing of services. It > generates/imports correctly and Android doesn’t appear to have an issue with > it, but Win7 and Win10 don’t care for it when we try to authenticate to the > wireless network. It looks like Android may be ignoring the validation or > generally fine with the wildcard. > > The easier question is – will a wildcard cert work here? > The tougher question is – if yes, um .. any good references to configure it > with S2012R2? > > -Brian > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
We lost that battle long ago…… I think there was some a best practice guide that won over our networking request. In the ends the Identity group got to what we wanted with a bit more cost. The other one we lost was responding with a fail for invalid username instead of no response/timeout. L Would like to revisit that one. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Travis Schick *Sent:* Friday, February 03, 2017 4:30 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] wild card certs and PEAP Or just install the same server cert for radius requests on all radius servers. This is being served via EAP - the client's supplicant can never automatically verify the host it is coming from anyway On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins <matk...@nd.edu> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps your client from having to trust each NPS server. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman *Sent:* Friday, February 03, 2017 3:32 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Friday, February 3, 2017 16:38 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu<mailto:matk...@nd.edu>> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as NPS1.nd.edu<http://NPS1.nd.edu>. This keeps your client from having to trust each NPS server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Brian Helman Sent: Friday, February 03, 2017 3:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] wild card certs and PEAP
Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkinswrote: > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This > keeps your client from having to trust each NPS server. > > > > > > > > > > > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman > > *Sent:* Friday, February 03, 2017 3:32 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > > *Subject:* [WIRELESS-LAN] wild card certs and PEAP > > > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert > (or beg digicert for one, since I don’t think they have an option), but we > tried to use a wildcard cert that we usually use for testing of services. > It generates/imports correctly and Android doesn’t appear to have an issue > with it, but Win7 and Win10 don’t care for it when we try to authenticate > to the wireless network. It looks like Android may be ignoring the > validation or generally fine with the wildcard. > > > > The easier question is – will a wildcard cert work here? > > The tougher question is – if yes, um .. any good references to configure > it with S2012R2? > > > > -Brian > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] wild card certs and PEAP
Or just install the same server cert for radius requests on all radius servers. This is being served via EAP - the client's supplicant can never automatically verify the host it is coming from anyway On Fri, Feb 3, 2017 at 1:19 PM Mike Atkinswrote: > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This > keeps your client from having to trust each NPS server. > > > > > > > > > > > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman > > *Sent:* Friday, February 03, 2017 3:32 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > > *Subject:* [WIRELESS-LAN] wild card certs and PEAP > > > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert > (or beg digicert for one, since I don’t think they have an option), but we > tried to use a wildcard cert that we usually use for testing of services. > It generates/imports correctly and Android doesn’t appear to have an issue > with it, but Win7 and Win10 don’t care for it when we try to authenticate > to the wireless network. It looks like Android may be ignoring the > validation or generally fine with the wildcard. > > > > The easier question is – will a wildcard cert work here? > > The tougher question is – if yes, um .. any good references to configure > it with S2012R2? > > > > -Brian > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
RE: [WIRELESS-LAN] wild card certs and PEAP
Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps your client from having to trust each NPS server. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Brian Helman *Sent:* Friday, February 03, 2017 3:32 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] wild card certs and PEAP
We fought this for a while. A wild card will never work for Windows clients as they require the common name to also be a service alt name. A wild card won't meet this. On Fri, Feb 3, 2017 at 14:32 Brian Helmanwrote: > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert > (or beg digicert for one, since I don’t think they have an option), but we > tried to use a wildcard cert that we usually use for testing of services. > It generates/imports correctly and Android doesn’t appear to have an issue > with it, but Win7 and Win10 don’t care for it when we try to authenticate > to the wireless network. It looks like Android may be ignoring the > validation or generally fine with the wildcard. > > > > The easier question is – will a wildcard cert work here? > > The tougher question is – if yes, um .. any good references to configure > it with S2012R2? > > > > -Brian > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > > -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.