subject:"eduroam CAT Config\/Cert Renewal with New Root"

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-16 Thread Jonathan Miller

Upon closer inspection, I believe that my fears were overblown.

It seems that what ACTUALLY changed in the certificate was the friendly
name, and the root CA is still the same.  I only discovered this when I
imported the 'new' root CA into our eduroam CAT config and saw that all of
the properties appeared to be the same.

When viewed with the Windows built-in certificate viewer, our certificate
chain appears as:
Sectigo (AAA) - CN = AAA Certificate Services
|__ CN = USERTrust RSA Certification Authority
|__CN = InCommon RSA Server CA
   |__connect.fandm.edu

If I view the details on the Sectigo (AAA) certificate, it shows as issued
to and by 'AAA Certificate Services,'  which does match the 'old' root CA.
The following screenshots are provided to highlight the source of my
confusion:

[image: image.png]
[image: image.png]
[image: image.png]

All of the certificates in the chain have friendly names that match their
CN's, except for the root.

Nevertheless, since we've gone this far, we are going to issue a new
certificate to both appliances so that they at least match.  I expect that
most clients will need to forget and re-add the network, but our existing
eduroam CAT config will work.  At the moment, our desktop support personnel
are pushing back on moving to a private CA due to the difficulty with
onboarding MacOS clients specifically, though they are also not
super-thrilled with the process for iOS devices.  We understand that this
is due to how the client OS handles installing these profiles, and are
hoping that using a different onboarding tool will make the process
bearable for users and help desk staff when we do roll to a private CA,
currently planned for next summer.  We were able to stand up a PoC Private
CA, thanks in very large part to the input that we received here.

I greatly appreciate everyone's input in this thread, and the encouragement
and information that is helping us to move to where we need to be.  This
has been, and continues to be, a valuable learning experience.

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

On Fri, Aug 13, 2021 at 2:37 PM Jonathan Waldrep  wrote:

> Going back to the original issue:
>
> On 2021-08-09 07:32:19-0400, Jonathan Miller wrote:
> > [...]
> > The certificate are issued through InCommon, and when I renewed our
> > expiring certificate, I noticed that it is showing that is has a root
> > of Sectigo, where it was previously Comodo. The certificate that is
> > not expiring has a root CA of Comodo.
> > [...]
>
>  InCommon also issues our certificates†. Specifically, our certs are
> signed by [this][1] certificate, with CN "InCommon RSA Server CA". This
> intermediate cert is then signed by [this][2] certificate with CN
> "USERTrust RSA Certification Authority", which is a root certificate.
>
>  Not counting CAs hiding their name because of a bad reputation, I don't
> see "Comodo" or "Secitgo" anywhere in the chain. This has been our chain
> for a while. I've had some other certs issued this week with the same
> chain.
>
>  What are the subject and issuer CNs for the certs you are using? It
> kinda sounds like they are just giving you an alternate chain, which can
> be a real pain to sort out.
>
> †I know, I know. We should use an internal CA. We're working on it.
>
> [1]: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
> [2]: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
>
> --
> Jonathan Waldrep
> Network Engineer
> Network Infrastructure and Services
> Virginia Tech
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-13 Thread Jonathan Waldrep

Going back to the original issue:

On 2021-08-09 07:32:19-0400, Jonathan Miller wrote:
> [...]
> The certificate are issued through InCommon, and when I renewed our
> expiring certificate, I noticed that it is showing that is has a root
> of Sectigo, where it was previously Comodo. The certificate that is
> not expiring has a root CA of Comodo.
> [...]

 InCommon also issues our certificates†. Specifically, our certs are
signed by [this][1] certificate, with CN "InCommon RSA Server CA". This
intermediate cert is then signed by [this][2] certificate with CN
"USERTrust RSA Certification Authority", which is a root certificate.

 Not counting CAs hiding their name because of a bad reputation, I don't
see "Comodo" or "Secitgo" anywhere in the chain. This has been our chain
for a while. I've had some other certs issued this week with the same
chain.

 What are the subject and issuer CNs for the certs you are using? It
kinda sounds like they are just giving you an alternate chain, which can
be a real pain to sort out.

†I know, I know. We should use an internal CA. We're working on it.

[1]: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
[2]: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt

-- 
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Glinsky, Eric

I used AD CS in the past for a private CA, so assuming you have Windows servers 
at your disposal, you could do this quickly (depending how nimble your 
organization is) and get the new root ready now as Tim recommended.

An upside to AD CS is every domain-joined Windows machine will automatically 
trust the cert. I don't have personal experience with onboarding tools, so 
someone can correct me if I'm wrong, but I imagine this would result in those 
managed machines not needing to be re-enrolled with SecureW2, reducing support 
burden after the switch (but not eliminating it, of course, because BYOD/IOT).

Here's a doc from Microsoft on deploying server certificates for 802.1X. I 
don't know if it's best practice/most up to date after the Android 11 issues, 
but it should be a good starting point.

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/deploy-server-certificates-for-802.1x-wired-and-wireless-deployments

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Tuesday, August 10, 2021 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

*Message sent from a system outside of UConn.*

Jonathan,

As I mentioned in my first reply, just use the certificate that is still valid 
on all nodes in your CPPM cluster for EAP. This will allow existing clients to 
still authenticate.

When that cert expires, you'll need to look at re-onboarding clients and at 
that point and I'd recommend moving to a PKI you control (even just a basic 
offline root using openssl). I'd recommend at least spinning up the root now 
and including it in the CAT tool config so new clients that connect will be 
ready for that change.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jonathan Miller mailto:jmill...@fandm.edu>>
Date: Tuesday, August 10, 2021 at 10:59
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
You don't often get email from jmill...@fandm.edu<mailto:jmill...@fandm.edu>. 
Learn why this is important<http://aka.ms/LearnAboutSenderIdentification>
Thank you all for the informative replies.  As is probably obvious, when we 
initially rolled this out, we were completely unaware of the best practices, 
and are currently working to correct that and get our infrastructure where it 
should be.

We do not have an in-house PKI expert, but we are not completely unfamiliar 
with OpenSSL.  We do not currently have any internal CA as we've just used 
InCommon for all of our certificate needs.

If we want to do this right, my understanding is that the process is to:
1.  Create a Root CA with a long-lived certificate
2.  Create a certificate for our ClearPass servers, signed by that Root CA, 
making sure to include the attributes listed here:  
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fdisplay%2FH2eduroam%2FEAP%2BServer%2BCertificate%2Bconsiderations=04%7C01%7C%7Ca719efcb077e4f36b34e08d95c11b078%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C637642053370453572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=Y0zwRlSFGRw%2FbLb0CXBv74xYhCLuQGe3l8oA%2FJqLDd0%3D=0>
3.  Apply the certificate to ClearPass and distribute our new Root CA via CAT 
or other means

Would we be crazy to try to accomplish this inside of the 2 weeks that we have 
before students start to return to campus?  Any advice is appreciated, just 
trying to steer this boat away from the iceberg.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:
CA's have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Tony Skalski

Hi Jonathan,

We are completing a similar transition from a public CA to an internal PKI.
We used easy-rsa - these are a set of scripts from the OpenVPN folks that
take care of all of the openssl commands for you. It was quite simple to
configure and generate the needed certs. It might be a little crazy to bite
this off now, but we are doing something similar - re-enrolling all
personal devices over the course of the next month (our old CA cert expires
at the end of Sep).

ajs

On Tue, Aug 10, 2021 at 10:15 AM Tim Cappalli <
0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:

> Jonathan,
>
>
>
> As I mentioned in my first reply, just use the certificate that is still
> valid on all nodes in your CPPM cluster for EAP. This will allow existing
> clients to still authenticate.
>
>
>
> When that cert expires, you'll need to look at re-onboarding clients and
> at that point and I'd recommend moving to a PKI you control (even just a
> basic offline root using openssl). I'd recommend at least spinning up the
> root now and including it in the CAT tool config so new clients that
> connect will be ready for that change.
>
>
>
> tim
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Miller <
> jmill...@fandm.edu>
> *Date: *Tuesday, August 10, 2021 at 10:59
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
> Root
>
> You don't often get email from jmill...@fandm.edu. Learn why this is
> important <http://aka.ms/LearnAboutSenderIdentification>
>
> Thank you all for the informative replies.  As is probably obvious, when
> we initially rolled this out, we were completely unaware of the best
> practices, and are currently working to correct that and get our
> infrastructure where it should be.
>
>
>
> We do not have an in-house PKI expert, but we are not completely
> unfamiliar with OpenSSL.  We do not currently have any internal CA as we've
> just used InCommon for all of our certificate needs.
>
>
>
> If we want to do this right, my understanding is that the process is to:
>
> 1.  Create a Root CA with a long-lived certificate
>
> 2.  Create a certificate for our ClearPass servers, signed by that Root
> CA, making sure to include the attributes listed here:
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fdisplay%2FH2eduroam%2FEAP%2BServer%2BCertificate%2Bconsiderations=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd945b2f5981e4a8d218a08d95c0f368c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637642043443375888%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=jh%2FetlyWIgHaSPABgLA68kwjOHmQBuGeZd0fFXetj%2F8%3D=0>
>
> 3.  Apply the certificate to ClearPass and distribute our new Root CA via
> CAT or other means
>
>
>
> Would we be crazy to try to accomplish this inside of the 2 weeks that we
> have before students start to return to campus?  Any advice is appreciated,
> just trying to steer this boat away from the iceberg.
>
>
>
> Thanks,
>
>
> Jonathan Miller
>
> Senior Network Analyst
>
> Franklin and Marshall College
>
>
>
>
>
> On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler <
> j...@scrippscollege.edu> wrote:
>
> CA’s have done nothing is fifteen plus years, so from a risk management
> perspective, the chance of them changing course now is rather low. As to
> future RFCs, even if that happened tomorrow, it could be a decade or more
> before there was broad support, and more importantly, we could think about
> enforcement.
>
>
>
> Jeff
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
> *Sent:* Monday, August 09, 2021 8:05 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
> Root
>
>
>
> CA policies really have nothing to do with implementations of other
> protocols. There have been many discussions about this on this list and
> others, and a future RFC will likely include further clarity. However, as
> I've said in the past, RFCs do not dictate CA/B policies.
>
>
>
> If we're going to continue this discussion, we should fork a new thread as
> it has nothing to do with the original question.
>
>
>
> tim
> --
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listser

Re: [External] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Hunter Fuller

Hi Jonathan,

UAH is using an offline CA we call the "Russ CA," named affectionately
after our previous CISO. Here is how Russ created the Russ CA and signed
our eduroam cert using this CA:

$ openssl genrsa -des3 -out rootCA.key 4096
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 7300 -out
rootCA.crt
$ openssl ca -create_serial -keyfile rootCA.key -cert rootCA.crt -in
input.pem -out out.crt -config ./server.cnf

Where:
 - rootCA.key becomes the Root CA private key
 - rootCA.crt becomes the Root CA cert
 - input.pem is the CSR from your RADIUS (ClearPass I guess)
 - out.crt becomes the signed cert for RADIUS

You will be asked to provide a passphrase for the Root CA key. It is
vitally important that this be kept secure and that you do not lose it.
You will be asked for information about the Root CA when you make the cert.
Give real information. It shows up on iPhones under some circumstances, at
the very least.
Do not lose the root CA key, cert, or passphrase between signings! If you
lose it, you will have to restart from nothing, and reprovision all your
users.

We are using this method for the past couple of years with no trouble.
If you have any other questions let me know.

--
Hunter Fuller (they)
Router Jockey
VBH M-1A
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering


On Tue, Aug 10, 2021 at 9:57 AM Jonathan Miller  wrote:

> Thank you all for the informative replies.  As is probably obvious, when
> we initially rolled this out, we were completely unaware of the best
> practices, and are currently working to correct that and get our
> infrastructure where it should be.
>
> We do not have an in-house PKI expert, but we are not completely
> unfamiliar with OpenSSL.  We do not currently have any internal CA as we've
> just used InCommon for all of our certificate needs.
>
> If we want to do this right, my understanding is that the process is to:
> 1.  Create a Root CA with a long-lived certificate
> 2.  Create a certificate for our ClearPass servers, signed by that Root
> CA, making sure to include the attributes listed here:
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
> 3.  Apply the certificate to ClearPass and distribute our new Root CA via
> CAT or other means
>
> Would we be crazy to try to accomplish this inside of the 2 weeks that we
> have before students start to return to campus?  Any advice is appreciated,
> just trying to steer this boat away from the iceberg.
>
> Thanks,
>
> Jonathan Miller
> Senior Network Analyst
> Franklin and Marshall College
>
>
> On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler <
> j...@scrippscollege.edu> wrote:
>
>> CA’s have done nothing is fifteen plus years, so from a risk management
>> perspective, the chance of them changing course now is rather low. As to
>> future RFCs, even if that happened tomorrow, it could be a decade or more
>> before there was broad support, and more importantly, we could think about
>> enforcement.
>>
>>
>>
>> Jeff
>>
>>
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
>> *Sent:* Monday, August 09, 2021 8:05 AM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
>> Root
>>
>>
>>
>> CA policies really have nothing to do with implementations of other
>> protocols. There have been many discussions about this on this list and
>> others, and a future RFC will likely include further clarity. However, as
>> I've said in the past, RFCs do not dictate CA/B policies.
>>
>>
>>
>> If we're going to continue this discussion, we should fork a new thread
>> as it has nothing to do with the original question.
>>
>>
>>
>> tim
>> ------
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler <
>> j...@scrippscollege.edu>
>> *Sent:* Monday, August 9, 2021 10:53
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
>> Root
>>
>>
>>
>> Per the RFC, the certificate-using application _*MAY*_ require the EAP
>> extended key usage extension to be present. It is not a must or shall, so
>> I’m not exactly sure the problem here. Vendors have chosen against
>> requirement.
>>
>>
>>
>> The certificate-using applicat

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Tim Cappalli

Jonathan,

As I mentioned in my first reply, just use the certificate that is still valid 
on all nodes in your CPPM cluster for EAP. This will allow existing clients to 
still authenticate.

When that cert expires, you'll need to look at re-onboarding clients and at 
that point and I'd recommend moving to a PKI you control (even just a basic 
offline root using openssl). I'd recommend at least spinning up the root now 
and including it in the CAT tool config so new clients that connect will be 
ready for that change.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Date: Tuesday, August 10, 2021 at 10:59
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
Thank you all for the informative replies.  As is probably obvious, when we 
initially rolled this out, we were completely unaware of the best practices, 
and are currently working to correct that and get our infrastructure where it 
should be.

We do not have an in-house PKI expert, but we are not completely unfamiliar 
with OpenSSL.  We do not currently have any internal CA as we've just used 
InCommon for all of our certificate needs.

If we want to do this right, my understanding is that the process is to:
1.  Create a Root CA with a long-lived certificate
2.  Create a certificate for our ClearPass servers, signed by that Root CA, 
making sure to include the attributes listed here:  
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fdisplay%2FH2eduroam%2FEAP%2BServer%2BCertificate%2Bconsiderations=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cd945b2f5981e4a8d218a08d95c0f368c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637642043443375888%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=jh%2FetlyWIgHaSPABgLA68kwjOHmQBuGeZd0fFXetj%2F8%3D=0>
3.  Apply the certificate to ClearPass and distribute our new Root CA via CAT 
or other means

Would we be crazy to try to accomplish this inside of the 2 weeks that we have 
before students start to return to campus?  Any advice is appreciated, just 
trying to steer this boat away from the iceberg.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:
CA’s have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Monday, August 9, 2021 10:53
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu<mailto:029e57f9967b-dmarc-requ...@listserv.educause.edu>>
Date: M

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Elton, Norman N

To be honest, this conversation has resurfaced some of my concerns as well. I’m 
also working to make sure we’re as best prepared for fall move-in.

We’ll stand up a private PKI for our server-side certificate. But we’ve already 
got thousands of clients configured to trust our existing InCommon certificate. 
I don’t want to force all those users to re-enroll via SecureW2. So we’ll begin 
configuring new devices to trust both InCommon AND our private CA now, but it 
will be years before we can actually change the server certificate to anything 
signed by our private CA.

We monitor which certificates are used for authentication. Once we see that 90% 
of devices are using certificates issued after August 2021, then we can 
communicate to the remaining 10% and make the change to the server.

Or at least that’s the hope!

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Date: Tuesday, August 10, 2021 at 10:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
Thank you all for the informative replies.  As is probably obvious, when we 
initially rolled this out, we were completely unaware of the best practices, 
and are currently working to correct that and get our infrastructure where it 
should be.

We do not have an in-house PKI expert, but we are not completely unfamiliar 
with OpenSSL.  We do not currently have any internal CA as we've just used 
InCommon for all of our certificate needs.

If we want to do this right, my understanding is that the process is to:
1.  Create a Root CA with a long-lived certificate
2.  Create a certificate for our ClearPass servers, signed by that Root CA, 
making sure to include the attributes listed here:  
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.geant.org%2Fdisplay%2FH2eduroam%2FEAP%2BServer%2BCertificate%2Bconsiderations=04%7C01%7Cwnelto%40WM.EDU%7C86913c69fd124dbbdab708d95c0f3700%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637642043572949456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=djFdjvYPQH85rohYyEwK6XtQFq4wET4OSm5Ukgrai2o%3D=0>
3.  Apply the certificate to ClearPass and distribute our new Root CA via CAT 
or other means

Would we be crazy to try to accomplish this inside of the 2 weeks that we have 
before students start to return to campus?  Any advice is appreciated, just 
trying to steer this boat away from the iceberg.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:
CA’s have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Monday, August 9, 2021 10:53
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.



jeff



From:

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-10 Thread Jonathan Miller

Thank you all for the informative replies.  As is probably obvious, when we
initially rolled this out, we were completely unaware of the best
practices, and are currently working to correct that and get our
infrastructure where it should be.

We do not have an in-house PKI expert, but we are not completely unfamiliar
with OpenSSL.  We do not currently have any internal CA as we've just used
InCommon for all of our certificate needs.

If we want to do this right, my understanding is that the process is to:
1.  Create a Root CA with a long-lived certificate
2.  Create a certificate for our ClearPass servers, signed by that Root CA,
making sure to include the attributes listed here:
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
3.  Apply the certificate to ClearPass and distribute our new Root CA via
CAT or other means

Would we be crazy to try to accomplish this inside of the 2 weeks that we
have before students start to return to campus?  Any advice is appreciated,
just trying to steer this boat away from the iceberg.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College


On Mon, Aug 9, 2021 at 12:12 PM Jeffrey D. Sessler 
wrote:

> CA’s have done nothing is fifteen plus years, so from a risk management
> perspective, the chance of them changing course now is rather low. As to
> future RFCs, even if that happened tomorrow, it could be a decade or more
> before there was broad support, and more importantly, we could think about
> enforcement.
>
>
>
> Jeff
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
> *Sent:* Monday, August 09, 2021 8:05 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
> Root
>
>
>
> CA policies really have nothing to do with implementations of other
> protocols. There have been many discussions about this on this list and
> others, and a future RFC will likely include further clarity. However, as
> I've said in the past, RFCs do not dictate CA/B policies.
>
>
>
> If we're going to continue this discussion, we should fork a new thread as
> it has nothing to do with the original question.
>
>
>
> tim
> --
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jeffrey D. Sessler <
> j...@scrippscollege.edu>
> *Sent:* Monday, August 9, 2021 10:53
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject:* Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
> Root
>
>
>
> Per the RFC, the certificate-using application _*MAY*_ require the EAP
> extended key usage extension to be present. It is not a must or shall, so
> I’m not exactly sure the problem here. Vendors have chosen against
> requirement.
>
>
>
> The certificate-using application appears to be satisfied by the server
> authentication EKU, which is appropriate, and I don’t see why the public CA
> would consider it a misuse and invalidate it.
>
>
>
> As others have indicated, this is the de facto, and right or wrong, it’s
> not going to change and not worth getting stirred up about.
>
>
>
> jeff
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Doug Wussler <
> 029e57f9967b-dmarc-requ...@listserv.educause.edu>
> *Date: *Monday, August 9, 2021 at 7:33 AM
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New
> Root
>
> Well, here is Microsoft's take on it...
>
>
>
>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177714995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=hx1WCuagh9lX9pNwIudcw%2F%2B1L9iNEOFO13obhaS%2FJJo%3D=0>
>
>
>
> [image: Image removed by sender.]
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177724

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

CA's have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Monday, August 9, 2021 10:53
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I'm not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don't see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it's not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu<mailto:029e57f9967b-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 7:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it...



https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177714995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=hx1WCuagh9lX9pNwIudcw%2F%2B1L9iNEOFO13obhaS%2FJJo%3D=0>



[Image removed by 
sender.]<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177724988%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=oulRbm%2B6JCUWoavQ13gPzzffQm4UhNVS5vUz5gl5VRQ%3D=0>

Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7Cc8f0083e79e44aa4d7e608d95b4716a9%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641183177734982%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=4J0h%2Fbn1bh16qdZY3wTIP5sZLEHjqlzWv7q79c0lMLw%3D=0>

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.

docs.microsoft.com







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Sent: Monday, August 9, 2021 10:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCA

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Sent: Monday, August 9, 2021 10:53
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it...



https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C59c7f01ea8414b2479a408d95b457fa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641176365059401%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=%2BCWA6jkNM8DQmgmh8st8qz%2FKWxnsJU4%2B153FNcHcGog%3D=0>



[Image removed by 
sender.]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C59c7f01ea8414b2479a408d95b457fa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641176365069364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=dpIf8NlChzBa%2F2GRw1x07spULXVqRrd%2Bin%2Blva%2FsJ3Y%3D=0>

Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C59c7f01ea8414b2479a408d95b457fa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641176365069364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=dpIf8NlChzBa%2F2GRw1x07spULXVqRrd%2Bin%2Blva%2FsJ3Y%3D=0>

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.

docs.microsoft.com







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!m_2CNd9NWCog0ZndhN4d4DBE2qugsIALRsIsBuLXHNQRxmnbzP9IM1KCwNjcaMgkk80%24=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C59c7f01ea8414b2479a408d95b457fa6%7C72f988bf86f141af91ab2d7cd011db47

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.

The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.

As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.

jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
Well, here is Microsoft's take on it...

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7C1b0ea13ba9914728ce0a08d95b429f1f%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641164095868821%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=LbMd3l3oHq7%2BRt3yC4NDHXCyb3%2B4Scj4jMzZw85Z7Go%3D=0>

[Image removed by 
sender.]<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7C1b0ea13ba9914728ce0a08d95b429f1f%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641164095868821%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=LbMd3l3oHq7%2BRt3yC4NDHXCyb3%2B4Scj4jMzZw85Z7Go%3D=0>
Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Fcertificate-requirements-eap-tls-peap=04%7C01%7CJeff%40scrippscollege.edu%7C1b0ea13ba9914728ce0a08d95b429f1f%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641164095878818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=mW1qLpxzvak3Y1Gz%2FzFV66rfhesw3T245Xry3qE8GqI%3D=0>
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.
docs.microsoft.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!m_2CNd9NWCog0ZndhN4d4DBE2qugsIALRsIsBuLXHNQRxmnbzP9IM1KCwNjcaMgkk80%24=04%7C01%7CJeff%40scrippscollege.edu%7C1b0ea13ba9914728ce0a08d95b429f1f%7C47274664281d4e3282489661a922b78c%7C0%7C0%7C637641164095878818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=d5FZzWqvXT7JhkxhtxSeP3sDFsVJCshGLgk1V12mSxw%3D=0>
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Doug Wussler

Well, here is Microsoft's take on it...

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

[https://docs.microsoft.com/en-us/media/logos/logo-ms-social.png]<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap>
Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap>
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.
docs.microsoft.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important<https://urldefense.com/v3/__http://aka.ms/LearnAboutSenderIdentification__;!!PhOWcWs!m_2CNd9NWCog0ZndhN4d4DBE2qugsIALRsIsBuLXHNQRxmnbzP9IM1KCwNjcaMgkk80$>
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2F*2Faka.ms*2FLearnAboutSenderIdentification__*3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0*24=04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C468fff2bcd664807999208d95b4232fb*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641162173292636*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000=keJRtmc2KlEldjrgNyJBHH8oGIG2PO0uhgQ*2BHdAcdkA*3D=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!PhOWcWs!m_2CNd9NWCog0ZndhN4d4DBE2qugsIALRsIsBuLXHNQRxmnbzP9IM1KCwNjc40GByv4$>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on beha

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173292636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=keJRtmc2KlEldjrgNyJBHH8oGIG2PO0uhgQ%2BHdAcdkA%3D=0>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173302592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=UWcLijHqgDvoe6dbXsP1hPINtL1jyIP%2BQupYw%2FPoVK8%3D=0>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu&

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Doug Wussler

Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<https://urldefense.com/v3/__http://aka.ms/LearnAboutSenderIdentification__;!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0$>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<https://urldefense.com/v3/__http://aka.ms/LearnAboutSenderIdentification__;!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0$>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<https://urldefense.com/v3/__http://aka.ms/LearnAboutSenderIdentification__;!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0$>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, a

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

This is largely a workaround/hack due to the continued deployment of EAP server 
certificates issued from public CAs in the wild.

Issuing certificates from your own PKI with the web server auth EKU is 
perfectly acceptable and should also include the EAP EKU.

Unfortunately there can't really be a flag day for something like this due to 
industry fragmentation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Sent: Monday, August 9, 2021 10:24
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


I’m curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA’s include this when minting a so 
called web server cert.



Jeff





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).



An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.



Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Turpin, Max

No current operating systems enforce EAP EKU at the moment. If it were suddenly 
enforced, the majority of EAP networks would break. Whether right or wrong 
(it's wrong), that is just how the majority of networks are currently deployed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Monday, August 9, 2021 10:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New 
Root

I'm curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA's include this when minting a so 
called web server cert.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 5:42 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:36:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu<mailto:wne...@wm.edu>. Learn why 
this is 
important<https://urldefense.proofpoint.com/v2/url?u=http-3A__aka.ms_LearnAboutSenderIdentification=DwMF-g=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE=U-P6xtixifzAD-T2Coii7W_FIYGopGrbwntJHxifq7I=lvE7sPbAUCkM0FGE39X6Dg45x3-cN5teoi2eJmgnhbk=>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:18:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu<mailto:wne...@wm.edu>. Learn why 
this is 
important<https://urldefense.proofpoint.com/v2/url?u=http-3A__aka.ms_LearnAboutSenderIdentification=DwMF-g=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE=U-P6xtixifzAD-T2Coii7W_FIYGopGrbwntJHxifq7I=lvE7sPbAUCkM0FGE39X6Dg45x3-cN5teoi2eJmgnhbk=>

To piggyback on Jonathan's question ... he mentions moving the server-side 
certificates to a private CA. Is this common? We're using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I've had a long-simmering concern that if, for whatever reason, we 
can't use InCommon one day ... that means we have to reconfigure all

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Price, Jamie G

Anyone have a book or reading recommendations on this topic?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Elton, Norman N
Sent: Monday, August 9, 2021 6:36 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[External Email - Use Caution]
>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:18:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu<mailto:wne...@wm.edu>. Learn why 
this is important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan's question ... he mentions moving the server-side 
certificates to a private CA. Is this common? We're using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I've had a long-simmering concern that if, for whatever reason, we 
can't use InCommon one day ... that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.

Thanks!

Norman

Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 8:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jonathan Miller mailto:jmill...@fandm.edu>>
Sent: Monday, August 9, 2021 7:32:19 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu<mailto:jmill...@fandm.edu>. 
Learn why this is important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

I’m curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA’s include this when minting a so 
called web server cert.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Lee H Badman

That’s the stuff.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I didn’t say how long  399 days is long in today’s terms

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Monday, August 9, 2021 8:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


 EXTERNAL EMAIL 
“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.syr.edu_display_network_Wireless-2BNetwork-2Band-2BSystems=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=qftqxa8_XshNDFt7IhGPSCNJH2pu4kC8v_3dItjnQVI=UT9xnaZsfx9qhmHaKFPQm5_cTGvz1QMJyATI9wIgwFU=>
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


 EXTERNAL EMAIL 


On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
 wrote:

Lets not go down this rabbit hole again.


I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<https://www.it.northwestern.edu/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.it.northwestern.edu_=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=o2Qoz18b7NZxD8_TltdEQU4Bm3kFNqed1GpbmPd61mI=>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__bt.ittns.northwestern.edu_julian_pgppubkey.html=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=SrMTHgnct1wtNJmvWkrNmfwSap6Bw6DBCXlbilpja0w=>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=1b4utzeZvNDjJt6NyemCC2WGcBK4dpxomWmrdaBfQg4=>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy an

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread McClintic, Thomas

I didn’t say how long  399 days is long in today’s terms

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Monday, August 9, 2021 8:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 
“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.syr.edu_display_network_Wireless-2BNetwork-2Band-2BSystems=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=qftqxa8_XshNDFt7IhGPSCNJH2pu4kC8v_3dItjnQVI=UT9xnaZsfx9qhmHaKFPQm5_cTGvz1QMJyATI9wIgwFU=>
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 

On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
 wrote:

Lets not go down this rabbit hole again.

I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<https://www.it.northwestern.edu/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.it.northwestern.edu_=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=o2Qoz18b7NZxD8_TltdEQU4Bm3kFNqed1GpbmPd61mI=>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__bt.ittns.northwestern.edu_julian_pgppubkey.html=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=SrMTHgnct1wtNJmvWkrNmfwSap6Bw6DBCXlbilpja0w=>>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=1b4utzeZvNDjJt6NyemCC2WGcBK4dpxomWmrdaBfQg4=>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=qftqxa8_XshNDFt7IhGPSCNJH2pu4kC8v_3dItjnQVI=2aw0i_KLrKLzQ0J1mgmyFsBRUbf8SMW4DpXib6XZTZg=>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Lee H Badman

“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


 EXTERNAL EMAIL 


On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
 wrote:

Lets not go down this rabbit hole again.


I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<https://www.it.northwestern.edu/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.it.northwestern.edu_=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=o2Qoz18b7NZxD8_TltdEQU4Bm3kFNqed1GpbmPd61mI=>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__bt.ittns.northwestern.edu_julian_pgppubkey.html=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=SrMTHgnct1wtNJmvWkrNmfwSap6Bw6DBCXlbilpja0w=>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=1b4utzeZvNDjJt6NyemCC2WGcBK4dpxomWmrdaBfQg4=>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread McClintic, Thomas

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


 EXTERNAL EMAIL 



On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
 wrote:

Lets not go down this rabbit hole again.


I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<https://www.it.northwestern.edu/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.it.northwestern.edu_=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=o2Qoz18b7NZxD8_TltdEQU4Bm3kFNqed1GpbmPd61mI=>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__bt.ittns.northwestern.edu_julian_pgppubkey.html=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=SrMTHgnct1wtNJmvWkrNmfwSap6Bw6DBCXlbilpja0w=>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community=DwMGaQ=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA=H0ob6ER9LpWFGl0_Fqoxfc26IcKIeVTLpSQWKmnC3RY=1b4utzeZvNDjJt6NyemCC2WGcBK4dpxomWmrdaBfQg4=>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Julian Y Koh



On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.


I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)


--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Turpin, Max

Back to the original question. If you are talking about the EAP certificates, I 
would caution against using an EAP certificate with two separate roots. You are 
asking for trouble. At the very best, your clients will get certificate errors 
and warnings. At worst, you will have clients that will flat out refuse to 
connect. Your best option is to renew your certificate and apply it for all 
RADIUS servers in your environment.

I'm not familiar with the CAT tool, but I can imagine they would only allow one 
root CA. Additionally, if your clearpass servers are clustered, they will not 
allow you to apply more than one EAP certificate.

Client certs should be signed using an internal intermediate cert signed by a 
organizationally controlled root CA, but that is completely different than your 
EAP certificate.

Max

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 9, 2021 8:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New 
Root

Lets not go down this rabbit hole again.

I was directly answering the question. If you choose to use certificates that 
violate CA policies and risk revocation, and ask users to configure their own 
supplicants, putting their credentials at high risk, that is your decision.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Monday, August 9, 2021 8:52:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: 9/8/21 20:42 (GMT+08:00)
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:36:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu<mailto:wne...@wm.edu>. Learn why 
this is 
important<https://urldefense.proofpoint.com/v2/url?u=http-3A__aka.ms_LearnAboutSenderIdentification=DwMF-g=G2MiLlal7SXE3PeSnG8W6_JBU6FcdVjSsBSbw6gcR0U=zobI7d8a-PnWsDxhdheA-Pkovo0vk-DVRBlpbuIQ8mE=namH35D-RBOOavc9OomP46Qa0JinY9YWJ9IImMjhSpE=PLf6D6iizPnQ4z9VR0V4-TbK3HIQ60q7iOkGPSRjN1g=>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norma

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

Lets not go down this rabbit hole again.

I was directly answering the question. If you choose to use certificates that 
violate CA policies and risk revocation, and ask users to configure their own 
supplicants, putting their credentials at high risk, that is your decision.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Monday, August 9, 2021 8:52:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearP

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread James Andrewartha

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>


>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>


To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>


We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluste

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a c

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Elton, Norman N

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.



Thanks,

Jonathan Miller

Senior Network Analyst

Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cb0ed8910230d4ad4500c08d95b3194a6%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637641090775608852%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=OIh67oxvmrlD79UbaLcMdKE8jzYjgcFCR5539kJzLd0%3D=0>

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.



Thanks,

Jonathan Miller

Senior Network Analyst

Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C78bfb0cfe8144d3728f408d95b2fd24d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641083242437605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=DzBifpIe8ILZYvzbMR96aftTLyUacSZJiG%2F%2FI4iczro%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C78bfb0cfe8144d3728f408d95b2fd24d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641083242447562%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Elton, Norman N

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.

Thanks!

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?
2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?

Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7C0839185a11844756478308d95b2da18c%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637641073810727036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=0K%2FnHRvsD1QYfzith0vGyyAJI%2BWQ7AhhkxAoci33hjI%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7C0839185a11844756478308d95b2da18c%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637641073810727036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=0K%2FnHRvsD1QYfzith0vGyyAJI%2BWQ7AhhkxAoci33hjI%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?
2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?

Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce3ae3dfe2509475823b308d95b296482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641055620504986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=DZKD6Ej%2FLOFPfEtUJ61yxGlsxNzNVguZATohc3O0AIU%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jonathan Miller

We are currently using publicly signed certificates for our eduroam access
on a cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our
expiring certificate, I noticed that it is showing that is has a root of
Sectigo, where it was previously Comodo.  The certificate that is not
expiring has a root CA of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on
different members of our ClearPass cluster?  Would we expect to see client
issues?
2.  If it's not a problem to do this, can I simply add the Root CA for
Sectigo to our eduroam CAT configuration, or is there only one Root CA
allowed?

Any other advice is appreciated.  I understand that most institutions are
moving to privately issued certificates in order to get control of these
certificate chain issues, but we haven't quite gotten there yet.  Our plan
to properly onboard clients is to use an SSID with a captive portal to
direct them to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [External] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

eduroam CAT Config/Cert Renewal with New Root

32 matches

Site Navigation

Mail list logo

Footer information