Thanks to assistance from Cloudpath tech support, we should be able to use XpressConnect to assist in the migration of users to the InCommon/Comodo Root CA.
It still isn't going to be pretty as all users will have to re-configure their devices before the existing cert expires. Our current (Thawte) cert expires in July. Hopefully that's enough time to notify everyone. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Monday, November 01, 2010 12:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Versign New Root CERT We are also moving to Comodo via Incommon which is going to be interesting. Hopefully we can leverage our Cloudpath installation to rollout the changes. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C. Sent: Monday, October 18, 2010 11:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Versign New Root CERT Bruce, We had this exact same issue! Instead of a default 1024bit certificate rooted in Equifax, we received a 2048bit certificate rooted in GeoTrust. We explained that reconfiguring the tens of thousands of devices 'out there' is an impossibility at this time. Basically, this resulted in a lot of back and forth, but in the end, we leveraged the fact that Verisign had until December 31, 2010 to comply with new regulations that forced them to the 2048bit offering. Thus, we were able to obtain a renewal for our certificate that would last another 12 months. We are now migrating towards using Comodo through Incommon. But again, this is through a different root. Luckily, we are nearing a rollout of a new identity management solution along with a WLAN encryption upgrade; each requires reconfiguration on the user's part. We are leveraging these circumstances to roll out a configuration utility that will trust both Equifax as well as our new root. Many folks will say to just use a self-signed root, but for some entities, that is not an option since the network engineers may not dictate the security policies. :-/ Good luck! ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland....@osu.edu<mailto:holland....@osu.edu> On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote: We just renewed our Verisign CERTs only to find that the Verisign Root has changed. This wouldn't be a big deal, if it were for a web server, but since it's student laptops configured to accept the only the old public primary root it has a big impact. Verisign is saying that our only recourse is to reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the Radius auth, and certification. Anyone solve this already, or have any suggestions about how to avoid reconfiguring all the clients. |>Bruce Boardman, Network Engineer, Syracuse University - c 315 412-4156<| ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 1101816143) is spam: Spam: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=s Not spam: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=n Forget vote: https://antispam.osu.edu/b.php?i=1101816143&m=35b1c509aa0f&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
