We have offered 802.1x EAP-TLS since the fall of 2009. Cert installation did
require more than 3 steps so it was deemed painful, so after some number of
painful years we started using CloudPath XpressConnect which reduced the pain.
EAP-TLS works on most devices but there are some devices with bugs so for
those devices we use either EAP-TTLS or EAP-PEAP.
The Android bug 178688 has affected the most people recently.
There are still a few Windows devices that won’t connect with EAP-TLS. It
seems to be a wifi vendor driver issue. We can put an alternate USB wireless
adapter in those Windows machines and they connect with EAP-TLS.
If your customers are manually configuring wireless to use their username and
password (EAP-TTLS or EAP-PEAP) do you know what percentage are enabling
“verify server certificate” so the client will only give userid and password to
your radius server and not to a evil twin AP?
Even if you don’t use EAP-TLS it would be wise to use an installer such as
CloudPath XpressConnect or CAT from the eduroam project so that the installer
can configure the device to enable the checking of the radius server cert. If
you are using an installer the customer likely does not care whether it uses
certs or username/password.
The certs we install on devices have a 5 or 6 year lifetime so customers
usually only have to install them once.
While cert installation can be painful the pain is reduced by using an
installer and it is also painful to change the passwords on the average 2 to 3
wireless devices periodically when passwords expire. Many clients just give an
error that the wireless connection has failed, not that it failed because a
password has expired.
> On Sep 21, 2016, at 7:39 AM, Muraca, Peppino P. <pmur...@stonehill.edu> wrote:
> Hello all, I was wondering who or if anyone is using 802.1x cert auth for
> all wireless devices, and if you are, what is the experience with student
> devices ?
> We are currently 802.1x username password , and have been thinking about the
> going the cer route. I feel the cert auth is still a painful experience for
> DYOD devices.
> Thank you
> Peppino Muraca
> Sr. Network Administrator
> Stonehill College
> ********** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.