We tried to move to Option 1 this year but management was not comfortable with the use of a Private CA. Like you, we used the term “self-signed” and that does not come off well. Technically, it is not a “self-signed” certificate, it is signed by your Private CA (which, of course, is self-signed like every public root).
So, we remain on Option 3. Doug Wussler Application Developer/Designer – Core Network Team Information Technology Services RK Shaw Building 644 W. Call Street Tallahassee, FL 32304 From: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> on behalf of Michael Davis <[email protected]> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]> Date: Monday, October 30, 2017 at 2:45 PM To: "[email protected]" <[email protected]> Subject: Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions We're on Option 3, first time this Semester so we haven't gone through an update yet. (We use the eduroam CAT application) Android before v7.1 have a known issue not being able to have 2 certificates at once. Any iOS will have a warning that it hasn't seen that certificate before, but it shouldn't be an error. What MacOS issues were you seeing? We're exploring Option 4, and it'll be a race to see if we get there before the Cert renews... On 10/30/17 2:21 PM, Craig Simons wrote: All, I know the subject has been broached on the list a few times before, but I’m looking for informal opinions/survey about how you are deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard users, but recently went through a difficult renewal period to replace our expiring certificate. As we had configured all of our clients to “verify the server certificate” (as you should from a security perspective), we found that iOS/MacOS and Android clients did not take kindly to a new certificate being presented. This resulted in quite a few disgruntled users who couldn’t connect to WiFi as well as a shell-shocked Service Desk. To help prevent this in the future (and because we are moving to a new Radius infrastructure), what is the consensus on the following strategies: Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with "verify server certificate" enabled Option 2: Removing all traces of “verify server certificate” from OnBoard configuration and use 2-year certs from CAs Option 3: Use 2-year CA certificates, enable “verify server certificates” and educate/prepare every two years for connection issues. Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS. Opinions? Craig Simons Network Operations Manager Simon Fraser University | Strand Hall 8888 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sfu.ca_itservices&d=DwMDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=U35BXXsr4r2sH1mcPJL0epuzwO7Oq1mwipWtZJhBa_Q&s=cyGweN9WgaGdwt1BRtevadYWYeAoRyzfkZa9UVTGvEo&e=> [http://www.sfu.ca/content/dam/sfu/creative-studio/images/email/sfu-horizontal.png] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=U35BXXsr4r2sH1mcPJL0epuzwO7Oq1mwipWtZJhBa_Q&s=IOetDuRMS2xCOeZDG5osySzrzpboqh13UQV-l04t_xo&e=>. -- Mike Davis Systems Programmer V NSS - University of Delaware - 302.831.8756 Newark, DE 19716 Email [email protected]<mailto:[email protected]> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMDaQ&c=HPMtquzZjKY31rtkyGRFnQ&r=iWHlmRoKGsiAUGML4kxiTFSMVFjSJWPJZ-Qyls6lSv0&m=U35BXXsr4r2sH1mcPJL0epuzwO7Oq1mwipWtZJhBa_Q&s=IOetDuRMS2xCOeZDG5osySzrzpboqh13UQV-l04t_xo&e=>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
