While I agree with Ryan and others about user / client certificates, I believe the original topic was RADIUS Server certificates, not user.
Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Turner, Ryan H [mailto:rhtur...@email.unc.edu] Sent: Wednesday, May 16, 2018 2:56 PM Subject: Re: Rotating 802.1x RADIUS CA certificate I definitely echo the comment about private CAs for your RADIUS. Control your own destiny. If your users are getting onboarded, then private CA chains should get installed as part of the process, as well. We learned this from a swap out from a GoDaddy chain that was being deprecated before we made the wholesale switch to TLS. That was one of the major reasons we went to eduroam as our primary SSID. At the time, we were running people through a branded SSID called UNC-Secure. When we realized we were going to need to swap out RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead onboarded them to eduroam. The eduroam backend RADIUS servers were totally different than the UNC-Secure RADIUS servers, and it made the change-out non disruptive to our folks. Otherwise there would have been a date where we had to tell everyone to ‘enroll again’ because they would not have trusted the new chain. Twas lots of fun… Ryan Turner Senior Manager of Networking ITS Communication Technologies The University of North Carolina at Chapel Hill r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 Office +1 919 274 7926 Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Oakes, Carl W Sent: Wednesday, May 16, 2018 2:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256. The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> v10, or v7 -> v10, there's a chance it would miss a specific update that enabled SHA512. It was a BEAR to find, but now that we know it and why, quickly resolved. Out of about 90,000 overall (all platforms) devices, we ended up with less than 50 in that case. Other than that, long term self-signed CA's and Certs is the way to go for the RADIUS server! No more embarrassing swap outs. :) Carl Oakes Information Resources and Technology California State University Sacramento From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Matt Freitag Sent: Wednesday, May 16, 2018 10:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate We went through this not long ago. The root cert in our chain is valid until 2028, and the one intermediate is valid until 2024, so we were able to maintain the same chain and just swap out our server cert with pretty much zero pain. Some warnings about how the cert changed but we told our users well ahead of time that they needed to expect this and this time it's OK to ignore and OK their way through any warnings. We just use SHA256 with a key length of 4096 bits. We do not use our own CA on the server that I'm looking at, our certificate is a GlobalSign one. Matt Freitag Network Engineer Information Technology Michigan Technological University (906) 487-3696<tel:%28906%29%20487-3696> https://www.mtu.edu/ https://www.mtu.edu/it On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H <rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote: We still use SHA2 256 bit certificates with a 2048 length. When I was doing research on this a few years ago, I believe there was extra processing power required once you went above 256bit (requires an additional computation). I could be completely wrong about that, but we have had mass deployment of user certificates for over 5 years with that setup without any issue. I don't see any reason to get cute with hashing algorithms at this point or length at this point as it might cause you more grief than it is worth/ Ryan Turner Senior Manager of Networking ITS Communication Technologies The University of North Carolina at Chapel Hill r...@unc.edu<mailto:r...@unc.edu> +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of James Andrewartha Sent: Tuesday, May 15, 2018 11:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate Hi all, While debugging another problem (Windows 10 client that lost its certificates and some EAP configuration) I noticed that our private CA used for WPA2 Enterprise RADIUS auth expires in September next year. The certificate used by the RADIUS servers is valid until January 2024, but am I correct in thinking that if the CA has expired the cert won't be trusted either? Has anyone rotated their cert and have any tips for managing the flag day? I'm going to create a new private CA, this time with a 30 year lifetime, although I imagine it'll be obsolete before then due to increased crypto requirements. Speaking of which, what are the best practices for a private CA these days? SHA2 (384bit)? SHA3? RSA? Elliptic Curve? We are fortunate in that most of our devices are school owned and so we can push out wireless configuration. I had a look at the Windows and Mac configs, and both of those can trust multiple CAs for a given SSID. On iOS we don't push out wireless config, but we were going to reprovision the remaining ones anyway at the end of this year so that's fine. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
