Hi Ryan,
We also used a self signed certificate and a set-up wizard to load the CA
cert on to the client and configure the wireless profile (similar to SU1X).
We configure explicit trust for maximum security i.e. only trust our CA
cert, and only trust a radius server if it's cert CN matches
'eduroam.wireless.bris.ac.uk'
As far as multiple radius servers go -- they should all use the same
certificate (the name of the radius box is irrelevant to the PEAP
certificate CN).
Regards,
James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk
--
--On Tuesday, October 12, 2010 07:33:42 -0400 "Osborne, Bruce W"
<bosbo...@liberty.edu> wrote:
Gareth,
How do you handle multiple RADIUS servers for redundancy?
We have our own CA trusted by GTE OmniRoot
(http://cybertrust.omniroot.com/) so we just setup to trust them as the
root CA. We will be deploying 802.1x, trust OmniRoot only, & not prompt
for other certificates. We have 2 RADIUS servers for redundancy, but
since they both have trusted certificates, there appears to be no issue.
Bruce Osborne
Liberty University
From: Ayres G.J. [mailto:g.j.ay...@swansea.ac.uk]
Sent: Monday, October 11, 2010 11:16 AM
Subject: Re: PEAPv0 Config Best Practice and Certificate Root
question/concern
Just use a self-signed cert, its more secure.
We use a self-signed cert and deploy it with SU1X to windows devices.
Gareth.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C.
Sent: 11 October 2010 13:32
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAPv0 Config Best Practice and Certificate Root
question/concern
We are pursuing an updated configuration for our 802.1X enabled WLAN
using PEAP/MSCHAPv2. Historically, we have not specified the specific
certificate name in the Windows configuration file. We are going to move
towards this and toggle the option to not prompt the user to accept other
certificates. In doing so, we are also specifying the root CA in the
configuration.
My questions are:
1.) Are other universities sharing this approach currently?
2.) If you are, how have you mitigated concerns that your certificate
provider changes the root CA that is signing your server certificate?
For #2, for instance, if your root was currently 'Equifax Secure
Certificate Authority' and your root changed to 'AddTrust External CA
Root', how can you avoid having users suddenly unable to connect (since
the user will not be prompted to accept the new certificate)?
Thanks,
==========
Ryan Holland
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
