We have users connect to an open SSID to be provisioned for our 802.1X network.
Another alternative is to use your single SSID but allow PEAP for onboarding. The user still gets an initial security prompt though. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 ________________________________ From: Kevin Fitzgerald <[email protected]> Sent: Monday, March 13, 2017 3:14 PM Subject: Re: Certificate for 802.1x Hi Eric, >From what I understand, the reason that even 3rd party certificates fail is >that the clients do not have a trusted radius store as they do with SSL. That >is to say, by default, most clients will not trust any radius certificate >regardless of the issuer. Some vendors provide an on-boarding module that distributes the trust parameters to the client as a workaround to the above. Kevin On Mon, Mar 13, 2017 at 2:10 PM, Eric Glinsky <[email protected]<mailto:[email protected]>> wrote: Hi everyone, I’m looking for thoughts/opinions/experiences on 802.1x and security certificates. I dug through the archives from a few years ago, and from what I gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, Windows, Android) trust it automatically, but maybe someone has succeeded with this by now? If so, which CA would you recommend? For us, our GoDaddy wildcard cert failed to authenticate clients, so we went with DigiCert. That isn’t trusted by clients by default, offering no benefit over our domain-generated cert, with which all Apple and Windows 8/10 devices must be told to “trust,” Windows 7 fails to authenticate entirely, and Android just works. We have a Cisco WLC and Windows NPS. Thanks for any pointers you can give! - Eric This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Kevin Fitzgerald | Project/Program Specialist University of Arkansas at Little Rock | Information Technology Services 501.916.5019 | [email protected]<mailto:[email protected]> | ualr.edu<http://ualr.edu> Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that comes via email, even from known contacts. For more information or to report suspicious email, visit http://ualr.edu/itservices/security/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
