We have offered 802.1x EAP-TLS since the fall of 2009. Cert installation did require more than 3 steps so it was deemed painful, so after some number of painful years we started using CloudPath XpressConnect which reduced the pain.
EAP-TLS works on most devices but there are some devices with bugs so for those devices we use either EAP-TTLS or EAP-PEAP. The Android bug 178688 has affected the most people recently. https://wiki.geant.org/display/H2eduroam/Known+configuration+APIs+and+bugs+for+client+devices There are still a few Windows devices that won’t connect with EAP-TLS. It seems to be a wifi vendor driver issue. We can put an alternate USB wireless adapter in those Windows machines and they connect with EAP-TLS. If your customers are manually configuring wireless to use their username and password (EAP-TTLS or EAP-PEAP) do you know what percentage are enabling “verify server certificate” so the client will only give userid and password to your radius server and not to a evil twin AP? Even if you don’t use EAP-TLS it would be wise to use an installer such as CloudPath XpressConnect or CAT from the eduroam project so that the installer can configure the device to enable the checking of the radius server cert. If you are using an installer the customer likely does not care whether it uses certs or username/password. The certs we install on devices have a 5 or 6 year lifetime so customers usually only have to install them once. While cert installation can be painful the pain is reduced by using an installer and it is also painful to change the passwords on the average 2 to 3 wireless devices periodically when passwords expire. Many clients just give an error that the wireless connection has failed, not that it failed because a password has expired. > On Sep 21, 2016, at 7:39 AM, Muraca, Peppino P. <[email protected]> wrote: > > Hello all, I was wondering who or if anyone is using 802.1x cert auth for > all wireless devices, and if you are, what is the experience with student > devices ? > > We are currently 802.1x username password , and have been thinking about the > going the cer route. I feel the cert auth is still a painful experience for > DYOD devices. > > Thank you > Pino > > Peppino Muraca > Sr. Network Administrator > Stonehill College > 508-565-1193 > [email protected] > (OO=[][]=OO) > > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. --- Bruce Curtis [email protected] Certified NetAnalyst II 701-231-8527 North Dakota State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
