Our main issues continue to be with Android on TLS, but SecureW2 has made it much better. We’ve had no real issues with Windows or any other major OS.
We support TTLS for eduroam until this Wednesday, when it will be disabled (for our own users). When we checked our logs, about 600 users were configured for TTLS (out of over 60-100k yearly onboards for TLS). So 1%. You’ll see more of this if you’ve come from a PEAP environment when virtually no one onboard. You’ll have to disable PEAP after some time to force everyone to TLS. To answer David’s other question. We use AD PKI integrated with SecureW2. We (networking) did not want to run a PKI. I ‘think’ we are on our own intermediary off our own offline root. Ryan Turner Manager of Network Operations, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office > On Feb 26, 2018, at 11:31 AM, Curtis, Bruce <bruce.cur...@ndsu.edu> wrote: > > > >> On Feb 23, 2018, at 10:58 AM, David Morton <dmor...@uw.edu> wrote: >> >> We currently use EAP-PEAP for our eduroam/802.1x, but are now considering >> adding EAP-TLS to the mix. We have several potential PKIs that we could use, >> but all of them will take some work to get them ready for a production >> launch. Given that resources are limited, I’m looking for some data points >> about others who have moved, are thinking of moving or have decided not to >> adopt EAP-TLS. >> >> To help gather some data can you please answer this short survey? >> >> Do you: >> >> - Support 802.1x? - > > Yes. > >> >> If yes, do you: >> >> - use EAP-PEAP on campus? - > > Yes. > >> >> - use EAP-TLS on campus? - > > Yes. > >> - What PKI/CA do you use: - >> >> - If both, why and is one preferred? - > > We were mainly using EAP-TLS with some devices using EAP-TTLS. > > We will be turning off EAP-TTLS soon. > > We enabled EAP-PEAP recently because our help desk reported a significant > percentage of Android devices had issues with EAP-TLS. > > Also a smaller percentage of Windows machines had problems with EAP-TLS but > it was decided to use EAP-PEAP for Windows devices. > > We continue to use EAP-TLS for Apple devices, both iOS and Mac OS. > > EAP-TLS has the advantage that a man in the middle attack can not steal a > password, even if a user turns off the “check server certificate” > verification. > Also with EAP-TLS devices do not have to be reconfigured if a password is > changed. > > So EAP-PEAP is installed on Android and Windows devices by default with > CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath. > People still have the option of configuring EAP-TLS for Android and Windows > devices and EAP-PEAL for Apple devices but that requires that they configure > that manually rather than with the installer. > >> - If only PEAP, are you planning EAP-TLS? - >> >> Brief description of why you’re doing what you’re doing and anything else >> that might be helpful: >> >> >> >> Thank you in advance >> >> >> David >> >> >> >> >> David Morton >> Director, Networks & Telecommunications >> Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV >> University of Washington >> dmor...@uw.edu >> tel 206.221.7814 >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/discuss. >> > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II 701-231-8527 > North Dakota State University > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
