We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS. At the recommendation of a couple big universities we talked with, we are looking at using SecureW2. We have demoed it and it works great provisioning the clients and enrolling user certificates to their cloud PKI. After bringing it up with our AD team, some questions were asked about possibly just using our ADCS. We know we can use the ADCS with or without SecureW2 and will likely leverage SecureW2 anyway to point to it for nice features like OS detection and provisioning and a good dissolvable agent. We use Cisco ISE for our RADIUS server and I much prefer SecureW2’s agent over ISE.
I was asked a couple questions and I may or may not already know the answer, but it’d be great if someone with a little more PKI background could clarify: Private PKI questions: 1. Does every Managed and BYOD device have to trust the full chain of the certificate? 2. How do you install the trusted root and intermediate on a BYOD device? 3. For a private PKI with a self-signed cert do we need an HSM? If we use incommon root, would we need the HSM? SecureW2 Questions: 1. Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and intermediate on a BYOD device during enrollment? If so then it shouldn’t matter if we use a self-signed root or incommon public root right? 2. We are also an incommon partner and can get root signed certs from them. If we used incommon root but pointed securew2 to our ADCS, would that be an unnecessary step rather than just pointing SecureW2 straight to incommon like we’re doing in our demo? 3. Would you recommend we use an incommon public signed cert even if we’re able to have every BYOD client install our self-signed cert? We have unlimited incommon certs. We may already have been issuing user certs to all our managed devices, just not doing anything with them. One thing I thought was that any BYOD could be incommon, and all managed would be self-signed and I could just set ISE to trust both. Thanks, Lynn Heavrin Network Engineer II | Network Engineering Washington University in St. Louis 4480 Clayton Ave, St. Louis, MO 63110 Mail stop 8218-45-1200 •: 314.935.3877 | •:[email protected]<mailto:[email protected]> ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
