Hi David, Aaron here from Cal Poly University in San Luis Obispo...
*Do you*: - Support 802.1x? - Yes. *If yes, do you*: - use EAP-PEAP on campus? - Yes. - use EAP-TLS on campus? - Yes. - What PKI/CA do you use: - For PEAP, we use Comodo/Incommon as the CA for the RADIUS and HTTPS certs that we load into Aruba Clearpass, which acts as our RADIUS. For EAP-TLS, we use Aruba Clearpass Onboarding, which acts as its own PKI, and again, we use Comodo/Incommon as the CA for the RADIUS and HTTPS certs in Clearpass. - If both, why and is one preferred? - We started out with PEAP, then rolled in EAP-TLS; the reason for this was that because we're Education, we don't have centralized management of devices, but rather BYOD, so getting certs to users' devices so that the devices bark less was difficult. With PEAP, we made a mobile config profile available to IOS users so that those devices barked less about seeing a new cert--you still get a "I see a new cert" popup in IOS/AppleOS but at least there's no dreaded "Not Verified" message in red letters--then with non-Apple devices we made do with the Root CA certs that came with the OS, but that still meant that we had to instruct users on how to configure the "verify server certificate" settings. All of those certificate issues is why we started using Aruba's Onboarding for EAP-TLS, where all we needed to worry about having valid RADIUS/HTTPS certs on Clearpass. The device connects to the Onboarding SSID, they login with a browser and the device is then provisioned for our main SSID. With EAP-TLS, your WiFi system doesn't go down if AD has a problem because devices are authenticated to Clearpass. Also, there's less password problems that come with AD, should a user's account get locked. And, if a device is infected, you can revoke access for that one device, instead of blocking their username and thus all their devices. But the main thing is that your help desk theoretically has fewer visits since users can use Onboarding anywhere. We wanted to eventually turn off PEAP, but by having PEAP available, there's that safety net if users cannot Onboard, and also, we do PEAP on Eduroam as well. Because we have ~25K devices that all want on WiFi, there's always going to be users who, for whatever reason, are unable to Onboard...their device is messed up, the provisioning process crashes, etc. That said, with PEAP there can be issues of manual device configuration, depending upon the OS; that is less of a factor today as it used to be, though. - If only PEAP, are you planning EAP-TLS? - Brief description of why you’re doing what you’re doing and anything else that might be helpful: One of the main issues that may influence which way you go is how sensitive your organization is to popups on devices, in particular "certificate cannot be verified" type messages. Some universities don't care, just click "OK" or "Proceed" the one time and you'll never see it again, in which case PEAP might be okay for you. In other universities, they won't allow that, the whole connection experience must be as free of those popups as possible, and that's where Aruba Onboarding helps. As far as the manual configuration on devices that you need to do for a PEAP connection, that has subsided as OSes got better at WiFi; in the early days of WiFi that was a bigger issue and is what made EAP-TLS/Onboarding so attractive. P.S. Go Cougars...sorry man, I lived in Pullman as a kid. On Fri, Feb 23, 2018 at 8:58 AM, David Morton <[email protected]> wrote: > We currently use EAP-PEAP for our eduroam/802.1x, but are now considering > adding EAP-TLS to the mix. We have several potential PKIs that we could > use, but all of them will take some work to get them ready for a production > launch. Given that resources are limited, I’m looking for some data points > about others who have moved, are thinking of moving or have decided not to > adopt EAP-TLS. > > To help gather some data can you please answer this short survey? > > *Do you*: > > - Support 802.1x? - > > *If yes, do you*: > > - use EAP-PEAP on campus? - > > - use EAP-TLS on campus? - > - What PKI/CA do you use: - > > - If both, why and is one preferred? - > > - If only PEAP, are you planning EAP-TLS? - > > Brief description of why you’re doing what you’re doing and anything else > that might be helpful: > > > > Thank you in advance > > > David > > > > > David Morton > Director, Networks & Telecommunications > Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV > University of Washington > [email protected] > tel 206.221.7814 <(206)%20221-7814> > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > -- Aaron Abitia Network Analyst Enterprise Systems, Networks Information Technology Services Cal Poly State University Tel: 805.756.1295 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
