I started working on something but decided it is not something I really have the cycles to maintain over time. (And I've found over the years that most people don't follow best practices anyway.)
tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Doug Wussler <0000029e57f9967b-dmarc-requ...@listserv.educause.edu> Sent: Monday, August 9, 2021 10:30 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from 0000029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> Tim - Didn't you write up an explanation for all these issues? You were going to be able to point to that page since these issues resurface so often. Doug ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Sent: Monday, August 9, 2021 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root A public CA issues certificates for web server authentication (amongst others like code signing and S/MIME). An EAP server is not a web server and has a designated usage assigned (which public CAs will not issue). EAP also does not follow traditional PKIX validation models due to the way the protocol operates. Any public CA web server certificate used for EAP could be revoked for misuse at any time. Tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elton, Norman N <wne...@wm.edu> Sent: Monday, August 9, 2021 8:36:08 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from wne...@wm.edu. Learn why this is important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173292636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=keJRtmc2KlEldjrgNyJBHH8oGIG2PO0uhgQ%2BHdAcdkA%3D&reserved=0> >> Technically, you're not even supposed to use the certificates issued from a >> public CA for EAP as it's a violation of multiple policies. I’m curious what those are. I thought it was fairly standard practice to use publicly-signed certificates on the server side, with privately-signed certificates on the clients. Thanks! Norman From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Monday, August 9, 2021 at 8:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root EAP server certs from a PKI you (or a partner like SecureW2) control are the best practice. Technically, you're not even supposed to use the certificates issued from a public CA for EAP as it's a violation of multiple policies. Tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elton, Norman N <wne...@wm.edu> Sent: Monday, August 9, 2021 8:18:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from wne...@wm.edu. Learn why this is important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173302592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UWcLijHqgDvoe6dbXsP1hPINtL1jyIP%2BQupYw%2FPoVK8%3D&reserved=0> To piggyback on Jonathan’s question … he mentions moving the server-side certificates to a private CA. Is this common? We’re using SecureW2 to configure an EAP-TLS deployment, so it should be trivial to configure the client to trust our private CA. We currently configure clients to trust server certificates coming from InCommon. I’ve had a long-simmering concern that if, for whatever reason, we can’t use InCommon one day … that means we have to reconfigure all our cliients. One solution, of course, is to trust multiple root public CAs. I suppose an alternative is to move to a private CA on the server-side. Thanks! Norman Norman Elton Director W&M IT Infrastructure wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Monday, August 9, 2021 at 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You should never use different EAP server certificates across a RADIUS cluster. Use the same cert across all nodes (in this case take the other cert with the longest expiry and upload it to all the nodes in the CPPM cluster) ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Miller <jmill...@fandm.edu> Sent: Monday, August 9, 2021 7:32:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from jmill...@fandm.edu. Learn why this is important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173302592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UWcLijHqgDvoe6dbXsP1hPINtL1jyIP%2BQupYw%2FPoVK8%3D&reserved=0> We are currently using publicly signed certificates for our eduroam access on a cluster of 2 ClearPass servers. We are in a situation where one of our certs will be expiring in October of this year, while the other is good until June of next year. The certificate are issued through InCommon, and when I renewed our expiring certificate, I noticed that it is showing that is has a root of Sectigo, where it was previously Comodo. The certificate that is not expiring has a root CA of Comodo. This leads me to the following questions: 1. Is it advisable to run certificates with different Root CAs on different members of our ClearPass cluster? Would we expect to see client issues? 2. If it's not a problem to do this, can I simply add the Root CA for Sectigo to our eduroam CAT configuration, or is there only one Root CA allowed? Any other advice is appreciated. I understand that most institutions are moving to privately issued certificates in order to get control of these certificate chain issues, but we haven't quite gotten there yet. Our plan to properly onboard clients is to use an SSID with a captive portal to direct them to the eduroam CAT download. Thanks, Jonathan Miller Senior Network Analyst Franklin and Marshall College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800072434*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DdJN2I1oktf6NGwheI5JYuwbAb7LSnSLp4gPzFc3i41g*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawPNkrLZY%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173312538%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Fq02I3Ekw6WPC9hXVJhrx2VZEFHMHrrAYCIEcZ9xmqM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800072434*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DdJN2I1oktf6NGwheI5JYuwbAb7LSnSLp4gPzFc3i41g*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawPNkrLZY%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173312538%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Fq02I3Ekw6WPC9hXVJhrx2VZEFHMHrrAYCIEcZ9xmqM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800082386*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DIe1HpOOuJrAN0RZpBu2C6fgA42lh7v6yLNHU1S*2FhAv8*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawLD2VGDk%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173322500%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=volsYqNpVgqCjxlegONc%2BwtNRqSNZuz%2B%2BNf4rezeQh4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800082386*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DIe1HpOOuJrAN0RZpBu2C6fgA42lh7v6yLNHU1S*2FhAv8*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawLD2VGDk%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173322500%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=volsYqNpVgqCjxlegONc%2BwtNRqSNZuz%2B%2BNf4rezeQh4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800092340*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DogA0FK28zN3ihiSfLY46QKru1mC5Hjhn67*2B2ixzUj8s*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTaw117NPys%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173332457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V%2F9iOVb0yoAFISSIRoxaX8vrgCXHClocfE61O9uFZbY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.educause.edu%2Fcommunity__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawStVr2X0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173332457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YzPJmwJYSOAdn5Ue5wtxgN1o%2BOQWVbYLnZQJJuQCZW4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173342415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PgxAeAWbMz%2FLYTO%2B3t9FrV9sMQkhIdMhvFHSKEicDhE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community