Thanks for the info, guys! It seems that “it is what it is” after all. Still haven’t had a chance to try the third-party CA with Win7 to decide if it’s worth keeping.
From what’s been discussed, I should be able to use the same cert across multiple RADIUS servers. No luck so far. On our first RADIUS server, I set up authentication with a cert issued to the host’s FQDN, with the domain CA (which also happens to be the RADIUS server) as the issuer. I tried exporting the cert from the original RADIUS server and importing it to the secondary server, but clients fail to authenticate. Any suggestions, such as file format, also exporting the root cert or not (with or without private key), etc. would be appreciated. Please forgive me if I’m totally off base since I have very limited experience with certs! ☺ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Kevin Fitzgerald Sent: Monday, March 13, 2017 3:15 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Certificate for 802.1x Hi Eric, From what I understand, the reason that even 3rd party certificates fail is that the clients do not have a trusted radius store as they do with SSL. That is to say, by default, most clients will not trust any radius certificate regardless of the issuer. Some vendors provide an on-boarding module that distributes the trust parameters to the client as a workaround to the above. Kevin On Mon, Mar 13, 2017 at 2:10 PM, Eric Glinsky <[email protected]<mailto:[email protected]>> wrote: Hi everyone, I’m looking for thoughts/opinions/experiences on 802.1x and security certificates. I dug through the archives from a few years ago, and from what I gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, Windows, Android) trust it automatically, but maybe someone has succeeded with this by now? If so, which CA would you recommend? For us, our GoDaddy wildcard cert failed to authenticate clients, so we went with DigiCert. That isn’t trusted by clients by default, offering no benefit over our domain-generated cert, with which all Apple and Windows 8/10 devices must be told to “trust,” Windows 7 fails to authenticate entirely, and Android just works. We have a Cisco WLC and Windows NPS. Thanks for any pointers you can give! - Eric This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Kevin Fitzgerald | Project/Program Specialist University of Arkansas at Little Rock | Information Technology Services 501.916.5019 | [email protected]<mailto:[email protected]> | ualr.edu<http://ualr.edu> Reminder: IT Services will never ask for your password over the phone or in an email. Always be suspicious of requests for personal information that comes via email, even from known contacts. For more information or to report suspicious email, visit http://ualr.edu/itservices/security/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. This e-mail message is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please so advise the sender immediately. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
