We currently use Option 3, but the clients only trust the certificate CHAIN, not the server certificate itself. This lets us replace the server certificate providing the chain remains the same. This worked fine for us for several years with a 1 year server certificate. Unfortunately, we have changed chains twice in the past year and will likely change chains again in January. ☹ Some of the clients we onboarded at the start of this semester have our “best guess” for the new certificate chain too.
We will be moving some clients to Option 4, though. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Craig Simons [mailto:[email protected]] Sent: Monday, October 30, 2017 2:22 PM Subject: Radius certificate length vs. onboarding opinions All, I know the subject has been broached on the list a few times before, but I’m looking for informal opinions/survey about how you are deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard users, but recently went through a difficult renewal period to replace our expiring certificate. As we had configured all of our clients to “verify the server certificate” (as you should from a security perspective), we found that iOS/MacOS and Android clients did not take kindly to a new certificate being presented. This resulted in quite a few disgruntled users who couldn’t connect to WiFi as well as a shell-shocked Service Desk. To help prevent this in the future (and because we are moving to a new Radius infrastructure), what is the consensus on the following strategies: Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with "verify server certificate" enabled Option 2: Removing all traces of “verify server certificate” from OnBoard configuration and use 2-year certs from CAs Option 3: Use 2-year CA certificates, enable “verify server certificates” and educate/prepare every two years for connection issues. Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS. Opinions? Craig Simons Network Operations Manager Simon Fraser University | Strand Hall 8888 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices<http://www.sfu.ca/itservices> [http://www.sfu.ca/content/dam/sfu/creative-studio/images/email/sfu-horizontal.png] ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
