We use Cloudpath XpressConnect Wizard which configures the network. I see an option for “Trusted Server Certificate Names” which is described as:
Supported settings include: Configured - Default. When selected, the name of the authentication server will be verified before an authentication is attempted. If selected, the server name must be specified. The verification of the server name is based on the CN field within the server's certificate. Multiple server names may be specified using a semi-colon separated list. This setting is not supported on Leopard. It is supported on Snow Leopard+ and iOS. This setting is the equivalent of Verify Server Certificate on Windows. Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Walter Reynolds [mailto:[email protected]] Sent: Tuesday, December 9, 2014 8:03 AM Subject: Re: Certificates et al. How do you trust server by name only for Macs? ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Tue, Dec 9, 2014 at 7:55 AM, Osborne, Bruce W (Network Services) <[email protected]<mailto:[email protected]>> wrote: We have our clients just trust the CA chain (not the server certificate) and to authenticate only to our servers by name. That way we can replace our server certificates without causing any disruption. Bruce Osborne Network Engineer – Wireless Team IT Network Services (434) 592-4229<tel:%28434%29%20592-4229> LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Oliver, Jeff [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, December 8, 2014 12:39 PM Subject: Certificates et al. All, I am guessing that this has come up more than once on the list, but some of our certs are up for renewal and I have not seen a discussion regarding certs recently so thought that I would ask the questions… Physical infrastructure: 1. Client (windows, macosx, iStuff, android, etc.) 2. WAP (Cisco various) 3. WLC (WiSM2) 4. Cisco Access Control Server 5. Microsoft Active Directory Configuration: 1. WPA+WPA2, AES 2. 802.1X 3. AAA points at our ACS server 4. ACS server points at Active Directory and has a “real” cert 5. AD uses the MS-PKI infrastructure and has a cert from the internal CA Question: • What are people doing in regard to certificates and setup of the WLAN on the client device? There seems to be no “magic bullet” combination that will allow all clients to consistently join a WLAN and authenticate without having to tweak them. • We have had occasions where two new devices of the same platform and one has issues and needs to be tweaked and the other is fine. Any advice? Cheers, Jeff --- Jeffrey L. Oliver Sr. Network Analyst Information Technology Services The University of Lethbridge 4401 University Drive, Lethbridge, Alberta, T1K 3M4 Tel: 403.329.5162<tel:403.329.5162> Mob: 403.315.4461<tel:403.315.4461> Fax: 403.382.7108<tel:403.382.7108> URI: [email protected]<mailto:[email protected]> . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
