Tim, Thank you for your response. The issue that I see is that where it is a supplicant or a manual install; I am still required to trust your chain instead of a major CA. I use third-party certificates since I know that are supported and it is easier to trust an organization that has to be validated every couple of years then a random organization that may or may not protect its internal CA properly. I do run internal CA and they are harder to protect then most people believe.
Much of the medical equipment that I work with can't support EAP-TLS and getting 802.1x PEAP is sometimes a major challenge. In 2020, the number of wireless devices that I see that are at least 3 generations old is still unacceptably high. Todd Smith From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:[email protected]] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 1:12 PM To: [email protected] Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? The core difference is a user or device password cannot be compromised when modern authentication is used. Password-based authentication has been in the process of being deprecated for years. Unfortunately networks are one of the last parties stuck on passwords. ? If I come onto your institution then I would have to accept your certificate chain to be granted access. Why should I trust your chain over a major CA provider? This should NEVER be happening. That's the other major point. A properly configured supplicant will never prompt the user to accept a trust anchor, regardless of whether it's a public CA or not. Tim From: Smith, Todd<mailto:[email protected]> Sent: Wednesday, August 19, 2020 13:01 To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? This is all well and good and I accept that different institutions have different requirements. How is EAP-TLS which requires a client certificate any better than EAP-PEAP which while using username/password is in a Microsoft setting not worse than setting at your wired machine to login? Unless your organization requires client side certs on your wired machines; then I don't see the difference? Your point is well founded in that not required server certificate validation does open up to MITM attacks for PEAP but to summarily declare EAP-TLS superior because it uses client certificates seems to miss the point. If I come onto your institution then I would have to accept your certificate chain to be granted access. Why should I trust your chain over a major CA provider? Obviously, you have the control and authority to insist on whatever access conditions that you find acceptable, but in my case I don't and I use third-party certs since they are acceptable by practically every device. To change the question slightly, What are organizations using for large private PKI? Microsoft CA? OpenSSL? What are organizations doing to onboard non-owned devices to accept this foreign cert chain? Thank you in advance for a responses to a difficult and troubling subject Todd Smith ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
