Somewhat related to this thread, if you are planning to switch to EAP-TLS, please consider using ECC (Elliptic Curve Cryptography, small certs) Certificates. They make EAP-TLS much more compatible when authentications cross many network devices ( related MTU size issues), especially if you do not control those devices. We have had many failed authentications on eduroam with EAP-TLS (using 2048 bits certs) due to MTU mismatch on network devices across the entire federation.
Best, Philippe Philippe Hanset, CEO www.anyroam.net Operator of eduroam-US +1 (865) 236-0770 > On May 27, 2020, at 8:16 AM, Turner, Ryan H <[email protected]> wrote: > > My guidance is for properly onboarded TLS devices. It doesn’t apply to PEAL > or anything else. Actually, that does bring a wrinkle into my previous > email. If PEAP and TLS both exist, I am going to guess there will be more > prompts or issues with a private CA (perhaps) > > Ryan Turner > Head of Networking, ITS > The University of North Carolina at Chapel Hill > +1 919 274 7926 Mobile > +1 919 445 0113 Office > >> On May 26, 2020, at 8:21 PM, Hurt,Trenton W. <[email protected]> >> wrote: >> >> >> I’m also doing unmanned eap peap (yes I know all the security reasons >> against this) if I don’t use public signed ca will byod devices be able to >> connect via eap peap with that private cert? >> >> Trent Hurt >> >> University of Louisville >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> <[email protected]> on behalf of Turner, Ryan H >> <[email protected]> >> Sent: Tuesday, May 26, 2020 8:10 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change >> >> CAUTION: This email originated from outside of our organization. Do not >> click links, open attachments, or respond unless you recognize the sender's >> email address and know the contents are safe. >> You are likely totally hosed. In fact, you should consider abandoning >> public CAs entirely when you re-do this. Through-out the years, I’ve >> counseled a lot of schools about TLS deployments, and I cautioned strongly >> against using public CAs for this exact reason. You have no control, and >> your CA can totally hose you, as you can see. >> >> There is no way around this if the CA will not cooperate. You should talk >> to your active directory folks. They should spin up a new offline private >> CA root, then intermediary, then issue your RADIUS servers from the >> intermediary. The expiration should be many years. >> >> OR, you can utilize SecureW2 and their online CA to generate RADIUS server >> certificates. In any event, get off the public CAs. >> >> Ryan >> >> From: The EDUCAUSE Wireless Issues Community Group Listserv >> <[email protected]> On Behalf Of Hurt,Trenton W. >> Sent: Tuesday, May 26, 2020 5:36 PM >> To: [email protected] >> Subject: [WIRELESS-LAN] securew2 root ca radius server cert change >> >> I have both eap peap and eap tls setup and working. My radius server cert >> is going to expire soon. I have received new one from public ca. It works >> fine for eap peap clients. But for my existing eap tls clients they all >> fail auth when I switch to this new updated rad cert. I see that my public >> ca has issued this new cert using different root ca then my old one ()the >> one that is install/config on my securew2 app in the cloud. Securew2 has >> told me that users will have to onboard again once I change the cert on >> clearpass and update the cloud app since public ca changed root ca on cert >> chain. I asked my public ca if they could reissue using the other root ca >> so my eap tls clients will still work once I do the change. They have told >> me that shouldn’t need reissue as the old root ca (one tls clients currently >> use) because my new cert root ca is cross signed by the old root ca. They >> told me that I should be able to use this new one but I still cant seem to >> get things working correctly. Anyone who is using securew2 had issues like >> this with root ca changing and clients forced to reonboard? Im not really >> pki person so if there is some way I could chain these or something. Just >> looking for way to update the rad cert on servers and not have to force all >> my onboard clients to have to go thru that process once I make the change. >> >> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://www.educause.edu/community >> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068304127&sdata=1XDQ8k1JY6Ltpvn2dUM0utxTHniGgqCDJQE959Fe%2BoE%3D&reserved=0> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://www.educause.edu/community >> <https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068314124&sdata=SAMZl%2FrGh3O6eNbPriBnyBn7O%2BQz6nq5HpEQBQU7wuY%3D&reserved=0> >> ********** >> Replies to EDUCAUSE Community Group emails are sent to the entire community >> list. If you want to reply only to the person who sent the message, copy and >> paste their email address and forward the email reply. Additional >> participation and subscription information can be found at >> https://www.educause.edu/community <https://www.educause.edu/community> > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community <https://www.educause.edu/community> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
