We have been using certificates for many years now, with good results. We've never used EAP-PEAP.
We have two PKIs. For administrative systems that are joined to our AD domain, the domain PKI automatically issues certificates that are trusted, effectively auto-configuring the system. For anything else, including BYOD, we use Cloudpath, with it's built-in PKI. Having the wireless authentication decoupled from the account process has been very helpful over the years: * Fewer lockouts due to badly configured mobile devices (doesn't help with email clients) * Account suspensions and password changes don't knock devices offline * No user passwords stored for wireless configurations, or shared with friends/family/etc Frank Sweetser Director of Network Operations Worcester Polytechnic Institute "For every problem, there is a solution that is simple, elegant, and wrong." - HL Mencken ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of David Morton <dmor...@uw.edu> Sent: Friday, February 23, 2018 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PEAP vs TLS We currently use EAP-PEAP for our eduroam/802.1x, but are now considering adding EAP-TLS to the mix. We have several potential PKIs that we could use, but all of them will take some work to get them ready for a production launch. Given that resources are limited, I’m looking for some data points about others who have moved, are thinking of moving or have decided not to adopt EAP-TLS. To help gather some data can you please answer this short survey? Do you: - Support 802.1x? - If yes, do you: - use EAP-PEAP on campus? - - use EAP-TLS on campus? - - What PKI/CA do you use: - - If both, why and is one preferred? - - If only PEAP, are you planning EAP-TLS? - Brief description of why you’re doing what you’re doing and anything else that might be helpful: Thank you in advance David David Morton Director, Networks & Telecommunications Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV University of Washington dmor...@uw.edu<mailto:dmor...@uw.edu> tel 206.221.7814 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.