We didn't know that the mechanism to validate a certificate wasn't really that strict and thought it was a good idea. If we had to do it over, it would totally be a self signed cert with a long expiration date. Also we had never dealt with intermediates and changing roots due to expiration for the first several years.
Thanks, Joseph B. Sent from my iPhone > On Jul 31, 2018, at 6:30 PM, Cappalli, Tim (Aruba Security) <[email protected]> > wrote: > > Just curious, for those running a supplicant configuration utility, why are > you using a public CA-signed EAP server certificate? > > > On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group > Listserv on behalf of Charles Rumford" <[email protected] on > behalf of [email protected]> wrote: > >> On 07/31/2018 04:18 PM, Michael Dickson wrote: >> Hi Charles, >> >> >> What do you mean by "we ended up configuring all of the intermediate certs"? >> Do >> you mean you are now pushing all certs down to the client during the JoinNow >> process? > > Yes. We ended up, just for Windows, pushing all of certs down to the > clients. It > was the only way we could get the profile to work. > >> >> >> We are also running EAP-TTLS/PAP with JoinNow with a cross-signed double >> intermediate cert. I haven't heard of any issues yet but want to get in >> front of >> any that might crop up.. >> >> >> Thanks, >> Mike >> >> Michael Dickson >> Network Engineer >> Information Technology >> University of Massachusetts Amherst >> 413-545-9639 >> [email protected] >> PGP: 0x16777D39 >> >> >> >> -------------------------------------------------------------------------------- >> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv >> <[email protected]> on behalf of Charles Rumford >> <[email protected]> >> *Sent:* Tuesday, July 31, 2018 12:24 PM >> *To:* [email protected] >> *Subject:* Re: [WIRELESS-LAN] Issues with Windows 10 >> >>> On 07/30/2018 01:09 PM, Turner, Ryan H wrote: >>> From SecureW2: >>> >>> The issue is noticed when the RADIUS server cert is signed by AddTrust >>> External CA Root (Cross signed by USERTrust RSA Certification Authority) >>> and with the recent windows 10 update. We are looking into this and should >>> be able to provide you an update. >>> >> >> We ended up configuring all of the intermediate certs, and it solved the >> problem. >> >> >> -- >> Charles Rumford >> Senior Network Engineer >> ISC Tech Services >> University of Pennsylvania >> OpenPGP Key ID: 0x173F5F3A (2018/07/05) >> >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group >> discussion list can be found at http://www.educause.edu/discuss. >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/discuss. >> > > > -- > Charles Rumford > Senior Network Engineer > ISC Tech Services > University of Pennsylvania > OpenPGP Key ID: 0x173F5F3A (2018/07/05) > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
