We crossed this bridge already but the quantity of door locks was a lot lower. We issued 5 yr certs to the locks and told the dept. that they (or their vendor) need to update/patch firmware on devices at least that often so they can update the cert at the same time. Our server cert will expire before then (not part of the chain) but the CA cert (part of the chain) will be valid for at least 10 years beyond that. So, as long as the FQDN and CN remain the same for the server cert then there is no problem. We used our existing 1x SSID, but a different VLAN and associated security policy. We used Cloudpath and deployed EAP-TLS certs for these - it's not hard.
-- Curtis K. Larsen Senior Network Engineer University of Utah IT/CIS ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Johnson, Neil M <[email protected]> Sent: Wednesday, November 2, 2016 9:17 AM To: [email protected] Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks) Our housing department is pushing pretty hard to replace keyed locks on dorm room doors with Wi-Fi connected proximity card locks (a pilot this summer and then eventually rolling out to ~3,000 rooms). The locks would be “offline” locks that cache valid cards locally and only connect to the Wi-Fi network periodically for updates and when presented with a non-cached card. While the locks support multiple methods for authenticating to the wireless network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is probably the most secure method for these devices. My thinking is to setup a private PKI and generate a client cert for every lock. However, I have two issues concerning EAP-TLS. 1. What should I use for a client certificate expiration date? Our key and access folks don’t want to update the locks client certs very often. (They will have to touch each lock on a regular basis to replace batteries, but don’t want to have to connect a computer to the locks every year). The same question applies for the server certificate expiration. 2. Should I advertise a separate SSID? We currently use eduroam as our primary campus SSID. I would prefer not to have to add an additional SSID just for these devices, but their use case seems different enough to warrant one. If your institution has implemented or thinking about implementing Wi-Fi connected locks, I’d appreciate your feedback. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319-384-0938 e-mail: [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
