We have offered 802.1x EAP-TLS since the fall of 2009.  Cert installation did 
require more than 3 steps so it was deemed painful, so after some number of 
painful years we started using CloudPath XpressConnect which reduced the pain.

  EAP-TLS works on most devices but there are some devices with bugs so for 
those devices we use either EAP-TTLS or EAP-PEAP.
The Android bug 178688 has affected the most people recently.

https://wiki.geant.org/display/H2eduroam/Known+configuration+APIs+and+bugs+for+client+devices

There are still a few Windows devices that won’t connect with EAP-TLS.  It 
seems to be a wifi vendor driver issue.  We can put an alternate USB wireless 
adapter in those Windows machines and they connect with EAP-TLS.

  If your customers are manually configuring wireless to use their username and 
password (EAP-TTLS or EAP-PEAP) do you know what percentage are enabling 
“verify server certificate” so the client will only give userid and password to 
your radius server and not to a evil twin AP?

  Even if you don’t use EAP-TLS it would be wise to use an installer such as 
CloudPath XpressConnect or CAT from the eduroam project so that the installer 
can configure the device to enable the checking of the radius server cert.  If 
you are using an installer the customer likely does not care whether it uses 
certs or username/password.

  The certs we install on devices have a 5 or 6 year lifetime so customers 
usually only have to install them once.  

  While cert installation can be painful the pain is reduced by using an 
installer and it is also painful to change the passwords on the average 2 to 3 
wireless devices periodically when passwords expire.  Many clients just give an 
error that the wireless connection has failed, not that it failed because a 
password has expired.

> On Sep 21, 2016, at 7:39 AM, Muraca, Peppino P. <pmur...@stonehill.edu> wrote:
> 
> Hello all,  I was wondering who or if anyone is using 802.1x cert auth for 
> all wireless devices, and if you are, what is the experience with student 
> devices ?
>  
> We are currently 802.1x username password , and have been thinking about the 
> going the cer route. I feel the cert auth is still a painful experience for 
> DYOD devices.
>  
> Thank you
> Pino
>  
> Peppino Muraca
> Sr. Network Administrator
> Stonehill College
> 508-565-1193
> pmur...@stonehill.edu
>               (OO=[][]=OO)
>  
> 
>  
> ********** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

---
Bruce Curtis                         bruce.cur...@ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University        




**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to