Now that you mention it, even for a single server, our provider is now requiring a SAN. That is a provider requirement and not technically needed for RADIUS or any single server certificate.
Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hunter Fuller [mailto:hf0...@uah.edu] Sent: Monday, February 6, 2017 2:19 PM Subject: Re: wild card certs and PEAP Are you sure you have no SAN? In my experience, it is almost impossible to get a cert issued by one of the big issuers that has zero SANs. If you request a single domain cert, you get a cert with one SAN, which is the same as the domain you requested. (There is also, of course, a CN containing that domain.) To see an example of this, you can look at https://sso.uah.edu/ - we have a single-domain cert here, and then one SAN that is the same as the CN: http://i.imgur.com/2d2CqUu.png During our testing we discovered that some Windows platforms required this SAN to be there, but we had somehow gotten a cert issued without that SAN present, and this was not acceptable. (I wish I remembered which Windows version.) I think this is only likely to trip people up if they ask for a cert with CN "domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one with that implicit "domain0" SAN, and that's what Windows balked at. But of course that doesn't affect people who are requesting single-domain certs. On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) <bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote: We use SANs on our RADIUS certificate so we can use the same certificate for https on those servers. I agree with Tim, though. SANs are not needed and we have run our RADIUS certificate for several years on multiple servers without any SANs. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com<mailto:t...@hpe.com>] Sent: Friday, February 3, 2017 4:46 PM Subject: Re: wild card certs and PEAP For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu<http://network-login.domain.edu>” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller Sent: Friday, February 3, 2017 16:38 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] wild card certs and PEAP Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu<mailto:matk...@nd.edu>> wrote: Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu<http://NPS1.nd.edu>, NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on all present common name as NPS1.nd.edu<http://NPS1.nd.edu>. This keeps your client from having to trust each NPS server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Brian Helman Sent: Friday, February 03, 2017 3:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] wild card certs and PEAP I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don’t think they have an option), but we tried to use a wildcard cert that we usually use for testing of services. It generates/imports correctly and Android doesn’t appear to have an issue with it, but Win7 and Win10 don’t care for it when we try to authenticate to the wireless network. It looks like Android may be ignoring the validation or generally fine with the wildcard. The easier question is – will a wildcard cert work here? The tougher question is – if yes, um .. any good references to configure it with S2012R2? -Brian ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- -- Hunter Fuller Network Engineer VBRH Annex B-1 +1 256 824 5331<tel:(256)%20824-5331> Office of Information Technology The University of Alabama in Huntsville Systems and Infrastructure ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.