Charles, you wrote a while back that you went through the process of moving from CloudPath to SecureW2 for EAP-TLS. I'm curious how that experience went.
Did you change Certificate Authorities or do some kind of CA transfer? Did you avoid any hard stop moments where clients lost access and had to get a new cert? We are using CloudPath and my primary concern for migrating off of it is making sure it is a smooth user experience. On Fri, Sep 20, 2019 at 5:57 PM Anderson, Charles R <c...@wpi.edu> wrote: > I'm not following either. We onboard both profiles with the same EAP-TLS > certs, although we are using SecureW2 (just moved from CloudPath). It > matters not which one the user's device connects to locally--they both drop > the user on the same network. If we were to eventually drop our branded > SSID, we'd just reconfigure the onboarding tool to configure only eduroam, > but still use the same configuration/certs otherwise. > > On Fri, Sep 20, 2019 at 04:01:32PM -0400, Michael Davis wrote: > > We onboard EAP-TLS to eduroam. I'm not following this progression of > > events. > > > > On 9/20/19 3:47 PM, Aaron Abitia wrote: > > > > > > Hello all, Aaron from Cal Poly, San Luis Obispo here... > > > > > > > > > We just went all eduroam and turned off our primary branded dot1x > > > SSID, which featured Aruba Clearpass EAP-TLS Onboarding of devices. > > > Because Onboarding is now gone, my question is about the eduroam CAT > > > tool…I believe reasons for using it would be to mitigate > > > man-in-the-middle attacks, to get rid of the red “Not Verified” iOS > > > message and to otherwise insulate the user from manually accepting our > > > RADIUS certificate. > > > > > > > > > However, I’m wondering about usability once our users leave our > > > campus. We have seen users here from other universities who are > > > unable to connect to eduroam, and we find that they are running a > > > profile from their home university, though we’re not sure if its the > > > eduroam CAT tool or another installer. Once we remove their profile, > > > they are able to get on eduroam. I believe that if an organization is > > > using a profile and that profile lists the RADIUS server(s) from that > > > organization for the eduroam connection, the user may or may not be > > > dead until that profile is removed, depending on what’s in the > > > profile; if all that’s in the profile is the organization’s RADIUS > > > servers, the user should still work here, but if there’s other > > > elements in that profile, the user could fail, which we’ve seen, but > > > I’m trying to identify what precisely in the profile could cause the > > > failure to connect. Would anyone have any insight into this? > > > > > > > > > We have many other eduroam users from other organizations that work > > > fine here, presumably because no profile is being used and the user > > > has just manually connected at home and here at our school. I would > > > also be interested in hearing about the eduroam CAT tool from anyone > > > using it, or other config tools used by anyone and the reasons for it, > > > beyond what I’ve mentioned above. > > > > > > > > > Many thanks. > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
