Couple of things
- Wildcard and EV certificates should never be used for RADIUS - Keep in mind that EAP server certificate trust is different than system level certificate trust. o Even with a public certificate, you will still receive a certificate prompt on initial connection if the client has not been manually configured o The common name of the RADIUS server certificate does NOT need to have a DNS entry, it’s “visual” only. - A standard “generic” web server certificate from any of the major providers will work. I always recommend using a user friendly name for the common name like wireless.domain.xyz or network-login.domain.xyz since users will see it. tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Eric Glinsky <[email protected]> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> Date: Monday, March 13, 2017 at 3:10 PM To: "[email protected]" <[email protected]> Subject: [WIRELESS-LAN] Certificate for 802.1x Hi everyone, I’m looking for thoughts/opinions/experiences on 802.1x and security certificates. I dug through the archives from a few years ago, and from what I gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, Windows, Android) trust it automatically, but maybe someone has succeeded with this by now? If so, which CA would you recommend? For us, our GoDaddy wildcard cert failed to authenticate clients, so we went with DigiCert. That isn’t trusted by clients by default, offering no benefit over our domain-generated cert, with which all Apple and Windows 8/10 devices must be told to “trust,” Windows 7 fails to authenticate entirely, and Android just works. We have a Cisco WLC and Windows NPS. Thanks for any pointers you can give! - Eric This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
