How do you trust server by name only for Macs?
------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Tue, Dec 9, 2014 at 7:55 AM, Osborne, Bruce W (Network Services) < [email protected]> wrote: > We have our clients just trust the CA chain (not the server certificate) > and to authenticate only to our servers by name. That way we can replace > our server certificates without causing any disruption. > > > > *Bruce Osborne* > > *Network Engineer – Wireless Team* > > *IT Network Services* > > > > *(434) 592-4229 <%28434%29%20592-4229>* > > > > *LIBERTY UNIVERSITY* > > *Training Champions for Christ since 1971* > > > > *From:* Oliver, Jeff [mailto:[email protected]] > *Sent:* Monday, December 8, 2014 12:39 PM > *Subject:* Certificates et al. > > > > All, > > > > I am guessing that this has come up more than once on the list, but some > of our certs are up for renewal and I have not seen a discussion regarding > certs recently so thought that I would ask the questions… > > > > Physical infrastructure: > > 1. Client (windows, macosx, iStuff, android, etc.) > > 2. WAP (Cisco various) > > 3. WLC (WiSM2) > > 4. Cisco Access Control Server > > 5. Microsoft Active Directory > > > > Configuration: > > 1. WPA+WPA2, AES > > 2. 802.1X > > 3. AAA points at our ACS server > > 4. ACS server points at Active Directory and has a “real” cert > > 5. AD uses the MS-PKI infrastructure and has a cert from the > internal CA > > > > Question: > > · What are people doing in regard to certificates and setup of the > WLAN on the client device? There seems to be no “magic bullet” combination > that will allow all clients to consistently join a WLAN and authenticate > without having to tweak them. > > · We have had occasions where two new devices of the same platform > and one has issues and needs to be tweaked and the other is fine. > > > > Any advice? > > > > > > Cheers, > > Jeff > > > > --- > > > > Jeffrey L. Oliver > > Sr. Network Analyst > > Information Technology Services > > The University of Lethbridge > > 4401 University Drive, Lethbridge, Alberta, T1K 3M4 > > > > Tel: 403.329.5162 > > Mob: 403.315.4461 > > Fax: 403.382.7108 > > > > URI: [email protected] > > . > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
