I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim
________________________________
From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Doug Wussler 
<0000029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
0000029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug

________________________________
From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli 
<00000194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim


________________________________
From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elton, Norman N 
<wne...@wm.edu>
Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173292636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=keJRtmc2KlEldjrgNyJBHH8oGIG2PO0uhgQ%2BHdAcdkA%3D&reserved=0>

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli 
<00000194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim





________________________________

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elton, Norman N 
<wne...@wm.edu>
Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173302592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UWcLijHqgDvoe6dbXsP1hPINtL1jyIP%2BQupYw%2FPoVK8%3D&reserved=0>

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W&M IT Infrastructure

wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli 
<00000194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)





________________________________

From: The EDUCAUSE Wireless Issues Community Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Miller 
<jmill...@fandm.edu>
Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawqpIJda0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173302592%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UWcLijHqgDvoe6dbXsP1hPINtL1jyIP%2BQupYw%2FPoVK8%3D&reserved=0>

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.



Thanks,

Jonathan Miller

Senior Network Analyst

Franklin and Marshall College

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800072434*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DdJN2I1oktf6NGwheI5JYuwbAb7LSnSLp4gPzFc3i41g*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawPNkrLZY%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173312538%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Fq02I3Ekw6WPC9hXVJhrx2VZEFHMHrrAYCIEcZ9xmqM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800072434*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DdJN2I1oktf6NGwheI5JYuwbAb7LSnSLp4gPzFc3i41g*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawPNkrLZY%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173312538%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Fq02I3Ekw6WPC9hXVJhrx2VZEFHMHrrAYCIEcZ9xmqM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800082386*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DIe1HpOOuJrAN0RZpBu2C6fgA42lh7v6yLNHU1S*2FhAv8*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawLD2VGDk%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173322500%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=volsYqNpVgqCjxlegONc%2BwtNRqSNZuz%2B%2BNf4rezeQh4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800082386*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DIe1HpOOuJrAN0RZpBu2C6fgA42lh7v6yLNHU1S*2FhAv8*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawLD2VGDk%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173322500%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=volsYqNpVgqCjxlegONc%2BwtNRqSNZuz%2B%2BNf4rezeQh4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwww.educause.edu*2Fcommunity%26data%3D04*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C1e0bce8996aa4e032cca08d95b32469f*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637641093800092340*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DogA0FK28zN3ihiSfLY46QKru1mC5Hjhn67*2B2ixzUj8s*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUl!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTaw117NPys%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173332457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V%2F9iOVb0yoAFISSIRoxaX8vrgCXHClocfE61O9uFZbY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.educause.edu%2Fcommunity__%3B!!PhOWcWs!noHRJ9yNg6gY_CYUmBa634tRxygv7eC6u8UIfKWwEztfKUZ8TF_IMixoYTawStVr2X0%24&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173332457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YzPJmwJYSOAdn5Ue5wtxgN1o%2BOQWVbYLnZQJJuQCZW4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C468fff2bcd664807999208d95b4232fb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641162173342415%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PgxAeAWbMz%2FLYTO%2B3t9FrV9sMQkhIdMhvFHSKEicDhE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Reply via email to