Jason et al., One heads up: with 2048 bit certs make sure that you have the Framed-MTU flag in RADIUS set to something like 1400 bytes Reference: http://www.eduroamus.org/node/29 read the last paragraph. It applies for regular campus 1x and eduroam
Philippe Univ. of TN On Oct 19, 2011, at 9:27 PM, Jason Healy wrote: > On Oct 19, 2011, at 3:20 PM, John York wrote: > >> If that’s true, I’ve been adding extra complexity to my work for years. I >> guess “any valid cert” would also have to come from a CA the user’s computer >> accepts. Comments? > > This year we changed our EAP cert from a "real" cert (GeoTrust) to a > self-signed dot1x cert with a "friendly" CN (instead of a DNS-like one). We > had to break away from our old method because our cert provider only did > 2048-bit certs, and after we got one issued we found out that our old (5.x) > Aruba gear only deals with 1024-bits. Whoops. > > We're an all-mac shop, and there's been no change in the rest of the process > for us. OS X requires that the cert be manually trusted for EAP (even if > it's signed by a trusted root authority), so it's really no extra work to > have a self-signed dot1x cert (we have a script that adds and trusts the cert > that our users run). > > We also baked the "special sauce" windows OIDs into our cert and have gotten > Windows 7 to trust it, though we've only set this up manually (I've tested it > on exactly two clients, as that's how many windows boxes we have around > here). We don't have AD, so I'm not sure how cert trust is supposed to work > with MS infrastructure. Given the number of windows clients we have, this is > fine for now. > > From what I understand, XpressConnect makes all of this much easier, but > unfortunately I don't have the $$$ for that right now... > > Jason > > -- > Jason Healy | [email protected] | http://www.logn.net/ > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
