Got it. Just to clarify, a self-signed EAP server certificate should never be used. A server certificate issued by a PKI under your control is the best deployment practice (which is not the same as a self-signed certificate).
tim From: Mike Atkins<mailto:matk...@nd.edu> Sent: Wednesday, August 19, 2020 11:31 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Tim, We use the public certificates for users that do not use our onboarding utility. We use a public root certificate that is in pretty much all operating systems. Fortunately or unfortuanately, some operating systems still want to walk the entire chain so we onboard with the root and intermediate. Our information security group had concerns about users just accepting security prompts for certificates. Using a self-signed cert that expires far into the future sounds better each day. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern). Tim From: Mike Atkins<mailto:matk...@nd.edu> Sent: Wednesday, August 19, 2020 10:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? We were burnt last December by an updated cert with the same cert chain and still not trusted by some devices/operating systems. We learned documents that referenced changes to the default web browser on an operating system ended up with a modification in the operating system that matched the web browser's changed behavior. I think this is the same experience Christopher is referencing. We ended up having to re-onboard all of our devices at the very last minute. We spent more time than we should have to try to avoid onboarding devices mid-semester when our cert expired. (this happened right around finals of course) Our identity group is buying a cert to test with a month in advance. They then cancel/revoke that cert to get money back and then order the production cert. This is to best ensure we test with the right root/intermediate certificate authorities that will be on our production cert. We still lose about a week on the production cert between testing and install. Ideally, we would keep the yearly cert installation during the summer but time is against us. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Johnson, Christopher Sent: Wednesday, August 19, 2020 10:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I think it's going to "depend" on each Operating System for the 802.1X authentications being affected. The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then all portions of the Operating System should not use those certificates regardless. However, from what I saw, even if I disable some of the Public CAs - the wireless supplicant still seems to trust them. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Tyler Sent: Wednesday, August 19, 2020 8:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu><mailto:ab...@ilstu.edu>] I was told by Sertigo that all commercial certs would be affected. We just bought the last 2 year expirations we could get away with for both 802.1x and https. The reason I am told has to do with so many smaller establishments that go out of business before their cert expires leaving the cert as a security vulnerability for consumers. I just wish there was a way to allow for the longer certs for those of us that have a long history of existence and stability. Such a pain. And I am told they are debating quarterly cert replacements in the future. That would turn cert management into a much bigger responsibility if that were to happen. Hopefully that doesn’t happen. And yes, if you want to manage EAP with your own self cert, I believe you can use a longer expiration. Tim -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Andrew Gallo Sent: Wednesday, August 19, 2020 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Does anyone know if the new, shorter certificate expiration for TLS that Apple announced (and Google is following) will affect 802.1X authentication? Thanks -- ________________________________ Andrew Gallo The George Washington University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068886666&sdata=Qj9thwK%2F3GHrUzZwZ1mfCDQtUcWViXq9e%2FNWBX7%2BAFs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068886666&sdata=Qj9thwK%2F3GHrUzZwZ1mfCDQtUcWViXq9e%2FNWBX7%2BAFs%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068896667&sdata=y89QmASBkYI%2FVvjtwIPq2iJPD2l3mSwn68vxaPwhBbE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068896667&sdata=y89QmASBkYI%2FVvjtwIPq2iJPD2l3mSwn68vxaPwhBbE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068906654&sdata=AtK7bh9w5gJOK5%2FzUuur2ukRV04sMebhg2bBkWHeBqo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf8abfc44bce341a5a46b08d84454fa95%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334479068906654&sdata=AtK7bh9w5gJOK5%2FzUuur2ukRV04sMebhg2bBkWHeBqo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
