We're on Option 3, first time this Semester so we haven't gone through
an update yet.
(We use the eduroam CAT application)
Android before v7.1 have a known issue not being able to have 2
certificates at once.
Any iOS will have a warning that it hasn't seen that certificate before,
but it shouldn't
be an error.
What MacOS issues were you seeing?
We're exploring Option 4, and it'll be a race to see if we get there
before the Cert renews...
On 10/30/17 2:21 PM, Craig Simons wrote:
All,
I know the subject has been broached on the list a few times before,
but I’m looking for informal opinions/survey about how you are
deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS).
We use Cloudpath to onboard users, but recently went through a
difficult renewal period to replace our expiring certificate. As we
had configured all of our clients to “verify the server certificate”
(as you should from a security perspective), we found that iOS/MacOS
and Android clients did not take kindly to a new certificate being
presented. This resulted in quite a few disgruntled users who couldn’t
connect to WiFi as well as a shell-shocked Service Desk. To help
prevent this in the future (and because we are moving to a new Radius
infrastructure), what is the consensus on the following strategies:
Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard
with "verify server certificate" enabled
Option 2: Removing all traces of “verify server certificate” from
OnBoard configuration and use 2-year certs from CAs
Option 3: Use 2-year CA certificates, enable “verify server
certificates” and educate/prepare every two years for connection issues.
Option 4 (probably the best long-term answer): Move to private PKI and
EAP-TLS.
Opinions?
*Craig Simons*
Network Operations Manager
Simon Fraser University | Strand Hall
8888 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices
<http://www.sfu.ca/itservices>
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/discuss.
--
Mike Davis
Systems Programmer V
NSS - University of Delaware - 302.831.8756
Newark, DE 19716 Email [email protected]
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/discuss.
