Hmmm. Intriguing. We have wireless locks as our most IoT-ish clients, and they do OK with our longer certs. This could be a really interesting topic at the macro level.
Lee Badman | CWNE #200 | Network Architect Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e [email protected] w its.syr.edu SYRACUSE UNIVERSITY syr.edu -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jake Snyder Sent: Wednesday, November 30, 2016 9:28 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Decent tools, on sale Not necessarily an EAP-TLS issue. I've personally seen some medical devices that puke on larger certs as well. Even using PEAP, they still get the cert from the radius server for building the TLS tunnel. No tunnel, no credential exchange. No creds, no access. In one example, we saw a 3-part certificate delivery because cert was over 3200 bytes (3x 1500 MTU packets) and immediately saw a certificate reject. And these devices don't actually do any cert validation. Sent from my iPhone > On Nov 30, 2016, at 4:15 AM, Jethro R Binks <[email protected]> wrote: > >> On Wed, 30 Nov 2016, Lee H Badman wrote: >> >> ?That's actually a pretty interesting question, Chuck. I run the G2 (and >> G1) against 802.1X as well with RADIUS using the longer certs... but- >> using PEAP w/MS-CHAPv2. Which in this context, is largely irrelevant >> because you can simply ignore the certs. I'm guessing that you're using >> TLS? > > Funnily enough I got a notification this week about new firmware for the > G2: > > AirCheck™ G2 Wireless Network Tester v1.1.1 Maintenance Release > > but the notes don't mention about cert length fixes. > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > > >> >> >> Lee Badman | Network Architect (CWDP, CWNA, CWSP, Mobility+) >> Information Technology Services >> 206 Machinery Hall >> 120 Smith Drive >> Syracuse, New York 13244 >> t 315.443.3003 f 315.443.4325 e >> [email protected]<mailto:[email protected]> w its.syr.edu >> SYRACUSE UNIVERSITY >> syr.edu >> ________________________________ >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]> on behalf of Chuck Enfield >> <[email protected]> >> Sent: Tuesday, November 29, 2016 8:58 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] Decent tools, on sale >> >> A gentle caution about the Aircheck. I love the product, but our gen 1 >> devices just took a major utility hit when we changed to a SHA-256 4K >> cert that the device couldn't support. Now we can't use it for >> connectivity tests on our 1x SSID. There's a 2K key size limit on the >> gen 1 Airchecks. >> >> More troubling is that I've had a ticket open with NetScout for almost a >> month to see if the G2's can do better, but they've yet to offer an >> answer. I've pinged them twice, so it's not an issue of forgetting >> about my inquiry. They don't seem to know what their device can do. >> >> From: Lee H Badman<mailto:[email protected]> >> Sent: Tuesday, November 29, 2016 7:55 PM >> To: >> [email protected]<mailto:[email protected]> >> Subject: [WIRELESS-LAN] Decent tools, on sale >> >> >> http://netool.io/ competes with LinkSprinter- is a nice tool on sale right >> now, FYI. Also NetScout running buy one/get one sale on AirCheck G2- but >> that sale is almost over as well. >> >> Just FYI, both are worth having. >> >> Lee Badman (mobile) >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
