Re: securew2 root ca radius server cert change

2020-05-26 Thread Hurt,Trenton W. 
I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Tuesday, May 26, 2020 8:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: securew2 root ca radius server cert change

2020-05-26 Thread Turner, Ryan H 
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I've counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn't need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community