We have our clients just trust the CA chain (not the server certificate) and to authenticate only to our servers by name. That way we can replace our server certificates without causing any disruption.
Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Oliver, Jeff [mailto:[email protected]] Sent: Monday, December 8, 2014 12:39 PM Subject: Certificates et al. All, I am guessing that this has come up more than once on the list, but some of our certs are up for renewal and I have not seen a discussion regarding certs recently so thought that I would ask the questions… Physical infrastructure: 1. Client (windows, macosx, iStuff, android, etc.) 2. WAP (Cisco various) 3. WLC (WiSM2) 4. Cisco Access Control Server 5. Microsoft Active Directory Configuration: 1. WPA+WPA2, AES 2. 802.1X 3. AAA points at our ACS server 4. ACS server points at Active Directory and has a “real” cert 5. AD uses the MS-PKI infrastructure and has a cert from the internal CA Question: · What are people doing in regard to certificates and setup of the WLAN on the client device? There seems to be no “magic bullet” combination that will allow all clients to consistently join a WLAN and authenticate without having to tweak them. · We have had occasions where two new devices of the same platform and one has issues and needs to be tweaked and the other is fine. Any advice? Cheers, Jeff --- Jeffrey L. Oliver Sr. Network Analyst Information Technology Services The University of Lethbridge 4401 University Drive, Lethbridge, Alberta, T1K 3M4 Tel: 403.329.5162 Mob: 403.315.4461 Fax: 403.382.7108 URI: [email protected]<mailto:[email protected]> .
