RE: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

Mon, 30 Oct 2017 13:20:39 -0700 

We are option 3 with 3 year certs.  We were in the same boat as Craig just
over a year ago.  We moved to a different onboarding utility and different
CA.  It is a long story so feel free to hit me up offline.  That said, in
the future we will likely end up using both options 3 & 4 to be flexible
with device/owner/use.







*Mike Atkins *

Network Engineer

Office of Information Technology

University of Notre Dame

Phone: 574-631-7210





     ----  .__o

   ----- _-\_<,

   ---  (*)/'(*)



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
[email protected]] *On Behalf Of *Craig Simons
*Sent:* Monday, October 30, 2017 2:22 PM
*To:* [email protected]
*Subject:* [WIRELESS-LAN] Radius certificate length vs. onboarding opinions



All,



I know the subject has been broached on the list a few times before, but
I’m looking for informal opinions/survey about how you are deploying your
Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to
onboard users, but recently went through a difficult renewal period to
replace our expiring certificate. As we had configured all of our clients
to “verify the server certificate” (as you should from a security
perspective), we found that iOS/MacOS and Android clients did not take
kindly to a new certificate being presented. This resulted in quite a few
disgruntled users who couldn’t connect to WiFi as well as a shell-shocked
Service Desk. To help prevent this in the future (and because we are moving
to a new Radius infrastructure), what is the consensus on the following
strategies:



Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with
"verify server certificate" enabled



Option 2: Removing all traces of “verify server certificate” from OnBoard
configuration and use 2-year certs from CAs



Option 3: Use 2-year CA certificates, enable “verify server certificates”
and educate/prepare every two years for connection issues.



Option 4 (probably the best long-term answer): Move to private PKI and
EAP-TLS.



Opinions?



*Craig Simons*
Network Operations Manager

Simon Fraser University | Strand Hall
8888 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices




********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Reply via email to