date:20210809

RE: Ekahau Update

2021-08-09 Thread Jason Cook

Excellent work. Thanks Everyone

--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Ian Lyons
Sent: Tuesday, 10 August 2021 3:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Ekahau Update

Good Day Everyone!

Eric and I were happy to host a meeting with many of you about Ekahau last 
Friday.

We had a peak of 28 folks and an average of 18!  Thank you for coming!

The meeting started with introductions and that lasted about the first 20 min 
or so.
Steve (VP Global Sales) and Stewart (SE North America) were Ekahau 
representatives. Both started ~2 years ago

Then we segued into how people used the product:
Sidekick, AP on a stick, Design, Analysis, Engineering, and proof of 
engineering were the common threads.

Steve opened the introductions and brought up a point that Ekahau EULA was 
always 1:1. Members that have been using the product for 8+ years have evidence 
that it was initially concurrent users' vs 1:1.  Further the "teeth" that made 
sharing the gear difficult became active in version 10.3.

Many schools, large and small, with disparate sized teams as well as healthcare 
indicated that there isn't a 1 size fits all.

Pro's and Con's:
Some folks have deep pockets and will fund other active users.  Others stated 
that the device is used periodically and could be used by interns for site 
surveys up to proof of design and engineering validation by FTE's.
Use of a physical hardware license key was discussed:  On the one hand it makes 
it easier to tie to license to something, but that has the impact of requiring 
people to come into contact to hand it off.
The spirit of the device was a sporadically used tool but only 1 person at a 
time.

Some suggestions by the group and Ekahau, were a tiered approach of access.

Where we left things is that Stephen (SVP of Sales) will work with his 
management to determine an alternate EULA\connection model that will better fit 
our needs (those on the call).  We agreed to another meeting, ideally in 8 
weeks' time to review Stephen's work on our behalf.

Steve was adamant that any problems by the group accessing a tool because of 
lock out/access please send an email to him (email info below) and he will help 
get you access to the tool again.

steve.lit...@ekahau.com
stewart.goum...@ekahau.com

Link to the Meeting
Webex meeting recording: Ekahau and Educause WIFI Group
Password: EducauseWifi
Recording link: 
https://rollins.webex.com/rollins/ldr.php?RCID=12596eece193961c0a7e8c4c5e51a99e

*Any mistakes in the summarization are mine, on how the product works or ties 
together.  I do not have the product, so my knowledge gaps were a result of 
unfamiliarity of the product and a poor google search to educate myself.

Cheers
Ian J Lyons
Network Architect - Rollins College
401.413.1661 Cell
407.628.6396 Desk



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Ekahau Update

2021-08-09 Thread Rios, Hector J

Ian,

Thank you for putting this together. Let's hope Ekahau is truly receptive and 
they are able to come with alternatives that benefit all of us.

Hector Rios
UT Austin

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Ian Lyons
Sent: Monday, August 9, 2021 12:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Ekahau Update

Good Day Everyone!

Eric and I were happy to host a meeting with many of you about Ekahau last 
Friday.

We had a peak of 28 folks and an average of 18!  Thank you for coming!

The meeting started with introductions and that lasted about the first 20 min 
or so.
Steve (VP Global Sales) and Stewart (SE North America) were Ekahau 
representatives. Both started ~2 years ago

Then we segued into how people used the product:
Sidekick, AP on a stick, Design, Analysis, Engineering, and proof of 
engineering were the common threads.

Steve opened the introductions and brought up a point that Ekahau EULA was 
always 1:1. Members that have been using the product for 8+ years have evidence 
that it was initially concurrent users' vs 1:1.  Further the "teeth" that made 
sharing the gear difficult became active in version 10.3.

Many schools, large and small, with disparate sized teams as well as healthcare 
indicated that there isn't a 1 size fits all.

Pro's and Con's:
Some folks have deep pockets and will fund other active users.  Others stated 
that the device is used periodically and could be used by interns for site 
surveys up to proof of design and engineering validation by FTE's.
Use of a physical hardware license key was discussed:  On the one hand it makes 
it easier to tie to license to something, but that has the impact of requiring 
people to come into contact to hand it off.
The spirit of the device was a sporadically used tool but only 1 person at a 
time.

Some suggestions by the group and Ekahau, were a tiered approach of access.

Where we left things is that Stephen (SVP of Sales) will work with his 
management to determine an alternate EULA\connection model that will better fit 
our needs (those on the call).  We agreed to another meeting, ideally in 8 
weeks' time to review Stephen's work on our behalf.

Steve was adamant that any problems by the group accessing a tool because of 
lock out/access please send an email to him (email info below) and he will help 
get you access to the tool again.

steve.lit...@ekahau.com
stewart.goum...@ekahau.com

Link to the Meeting
Webex meeting recording: Ekahau and Educause WIFI Group
Password: EducauseWifi
Recording link: 
https://rollins.webex.com/rollins/ldr.php?RCID=12596eece193961c0a7e8c4c5e51a99e

*Any mistakes in the summarization are mine, on how the product works or ties 
together.  I do not have the product, so my knowledge gaps were a result of 
unfamiliarity of the product and a poor google search to educate myself.

Cheers
Ian J Lyons
Network Architect - Rollins College
401.413.1661 Cell
407.628.6396 Desk



This message is from an external sender. Learn more about why this 
matters.


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Ekahau Update

2021-08-09 Thread Ian Lyons

Good Day Everyone!

Eric and I were happy to host a meeting with many of you about Ekahau last 
Friday.

We had a peak of 28 folks and an average of 18!  Thank you for coming!

The meeting started with introductions and that lasted about the first 20 min 
or so.
Steve (VP Global Sales) and Stewart (SE North America) were Ekahau 
representatives. Both started ~2 years ago

Then we segued into how people used the product:
Sidekick, AP on a stick, Design, Analysis, Engineering, and proof of 
engineering were the common threads.

Steve opened the introductions and brought up a point that Ekahau EULA was 
always 1:1. Members that have been using the product for 8+ years have evidence 
that it was initially concurrent users’ vs 1:1.  Further the "teeth" that made 
sharing the gear difficult became active in version 10.3.

Many schools, large and small, with disparate sized teams as well as healthcare 
indicated that there isn’t a 1 size fits all.

Pro’s and Con’s:
Some folks have deep pockets and will fund other active users.  Others stated 
that the device is used periodically and could be used by interns for site 
surveys up to proof of design and engineering validation by FTE's.
Use of a physical hardware license key was discussed:  On the one hand it makes 
it easier to tie to license to something, but that has the impact of requiring 
people to come into contact to hand it off.
The spirit of the device was a sporadically used tool but only 1 person at a 
time.

Some suggestions by the group and Ekahau, were a tiered approach of access.

Where we left things is that Stephen (SVP of Sales) will work with his 
management to determine an alternate EULA\connection model that will better fit 
our needs (those on the call).  We agreed to another meeting, ideally in 8 
weeks’ time to review Stephen's work on our behalf.

Steve was adamant that any problems by the group accessing a tool because of 
lock out/access please send an email to him (email info below) and he will help 
get you access to the tool again.

steve.lit...@ekahau.com
stewart.goum...@ekahau.com

Link to the Meeting
Webex meeting recording: Ekahau and Educause WIFI Group
Password: EducauseWifi
Recording link: 
https://rollins.webex.com/rollins/ldr.php?RCID=12596eece193961c0a7e8c4c5e51a99e

*Any mistakes in the summarization are mine, on how the product works or ties 
together.  I do not have the product, so my knowledge gaps were a result of 
unfamiliarity of the product and a poor google search to educate myself.

Cheers
Ian J Lyons
Network Architect - Rollins College
401.413.1661 Cell
407.628.6396 Desk



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

CA's have done nothing is fifteen plus years, so from a risk management 
perspective, the chance of them changing course now is rather low. As to future 
RFCs, even if that happened tomorrow, it could be a decade or more before there 
was broad support, and more importantly, we could think about enforcement.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 09, 2021 8:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>>
Sent: Monday, August 9, 2021 10:53
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I'm not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don't see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it's not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it...



https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap



[Image removed by 
sender.]

Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.

docs.microsoft.com







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

CA policies really have nothing to do with implementations of other protocols. 
There have been many discussions about this on this list and others, and a 
future RFC will likely include further clarity. However, as I've said in the 
past, RFCs do not dictate CA/B policies.

If we're going to continue this discussion, we should fork a new thread as it 
has nothing to do with the original question.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Sent: Monday, August 9, 2021 10:53
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.



The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.



As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.



jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Well, here is Microsoft's take on it...



https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap



[Image removed by 
sender.]

Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.

docs.microsoft.com







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)



tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

Per the RFC, the certificate-using application _MAY_ require the EAP extended 
key usage extension to be present. It is not a must or shall, so I’m not 
exactly sure the problem here. Vendors have chosen against requirement.

The certificate-using application appears to be satisfied by the server 
authentication EKU, which is appropriate, and I don’t see why the public CA 
would consider it a misuse and invalidate it.

As others have indicated, this is the de facto, and right or wrong, it’s not 
going to change and not worth getting stirred up about.

jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 7:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
Well, here is Microsoft's take on it...

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

[Image removed by 
sender.]
Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.
docs.microsoft.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Doug Wussler

Well, here is Microsoft's take on it...

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap

[https://docs.microsoft.com/en-us/media/logos/logo-ms-social.png]
Certificate requirements when you use EAP-TLS - Windows Server | Microsoft 
Docs
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. 09/08/2020; 
4 minutes to read; D; h; s; In this article. When you use Extensible 
Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected 
Extensible Authentication Protocol (PEAP) with EAP-TLS, your client and server 
certificates must meet certain requirements.
docs.microsoft.com



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

I started working on something but decided it is not something I really have 
the cycles to maintain over time. (And I've found over the years that most 
people don't follow best practices anyway.)

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Doug Wussler 
<029e57f9967b-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 10:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from 
029e57f9967b-dmarc-requ...@listserv.educause.edu. Learn why this is 
important
Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From:

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Doug Wussler

Tim -

Didn't you write up an explanation for all these issues?  You were going to be 
able to point to that page since these issues resurface so often.

Doug


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, August 9, 2021 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

This is largely a workaround/hack due to the continued deployment of EAP server 
certificates issued from public CAs in the wild.

Issuing certificates from your own PKI with the web server auth EKU is 
perfectly acceptable and should also include the EAP EKU.

Unfortunately there can't really be a flag day for something like this due to 
industry fragmentation.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jeffrey D. Sessler 

Sent: Monday, August 9, 2021 10:24
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


I’m curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA’s include this when minting a so 
called web server cert.



Jeff





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).



An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.



Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Turpin, Max

No current operating systems enforce EAP EKU at the moment. If it were suddenly 
enforced, the majority of EAP networks would break. Whether right or wrong 
(it's wrong), that is just how the majority of networks are currently deployed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Monday, August 9, 2021 10:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New 
Root

I'm curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA's include this when minting a so 
called web server cert.

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:36:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why 
this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:18:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why 
this is 
important

To piggyback on Jonathan's question ... he mentions moving the server-side 
certificates to a private CA. Is this common? We're using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I've had a long-simmering concern that if, for whatever reason, we 
can't use InCommon one day ... that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Price, Jamie G

Anyone have a book or reading recommendations on this topic?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Elton, Norman N
Sent: Monday, August 9, 2021 6:36 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

[External Email - Use Caution]
>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:18:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why 
this is important

To piggyback on Jonathan's question ... he mentions moving the server-side 
certificates to a private CA. Is this common? We're using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I've had a long-simmering concern that if, for whatever reason, we 
can't use InCommon one day ... that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.

Thanks!

Norman

Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jonathan Miller mailto:jmill...@fandm.edu>>
Sent: Monday, August 9, 2021 7:32:19 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu. 
Learn why this is important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?

Any other advice is appreciated.  I understand that most institutions are 
moving to

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jeffrey D. Sessler

I’m curious about this and would like to know more. Many operating systems 
require the Server Auth (1.3.6.1.5.5.7.3.1) EKU, and MS calls this out as a 
requirement for EAP. Last I looked, public CA’s include this when minting a so 
called web server cert.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 5:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Lee H Badman

That’s the stuff.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

I didn’t say how long  399 days is long in today’s terms

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Lee H Badman
Sent: Monday, August 9, 2021 8:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 
“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 

On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.

I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
>
PGP Public Key: 
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread McClintic, Thomas

I didn’t say how long  399 days is long in today’s terms

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Monday, August 9, 2021 8:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 
“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 

On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.

I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
>
PGP Public Key: 
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Lee H Badman

“The validity period is very long.”

Now you did it, Thomas. You realize you’re about to get scolded…. ☺

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of McClintic, Thomas
Sent: Monday, August 9, 2021 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 

On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.

I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
>
PGP Public Key: 
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread McClintic, Thomas

We use an internal CA signed server certificate without issue for EAP-TLS. We 
are currently using Clearpass onboard & moving to SecureW2.

We previously used Incommon for server CA and are much happier with using a 
private CA for the server certificate. The validity period is very long.

I would not use different server certificates, I imagine clients receive 
certificate warnings which you would not want them to be comfortable bypassing.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Monday, August 9, 2021 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

 EXTERNAL EMAIL 

On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.

I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)

--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
>
PGP Public Key: 
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Julian Y Koh



On Aug 9, 2021, at 07:56, Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
 wrote:

Lets not go down this rabbit hole again.


I thought there was a picture of a rabbit and a hole in the dictionary next to 
“mailing list” and “USENET”.   :)

Or is that just in reference to NANOG and IPv6?  :) :) :)


--
Julian Y. Koh
Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Turpin, Max

Back to the original question. If you are talking about the EAP certificates, I 
would caution against using an EAP certificate with two separate roots. You are 
asking for trouble. At the very best, your clients will get certificate errors 
and warnings. At worst, you will have clients that will flat out refuse to 
connect. Your best option is to renew your certificate and apply it for all 
RADIUS servers in your environment.

I'm not familiar with the CAT tool, but I can imagine they would only allow one 
root CA. Additionally, if your clearpass servers are clustered, they will not 
allow you to apply more than one EAP certificate.

Client certs should be signed using an internal intermediate cert signed by a 
organizationally controlled root CA, but that is completely different than your 
EAP certificate.

Max

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Tim Cappalli
Sent: Monday, August 9, 2021 8:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New 
Root

Lets not go down this rabbit hole again.

I was directly answering the question. If you choose to use certificates that 
violate CA policies and risk revocation, and ask users to configure their own 
supplicants, putting their credentials at high risk, that is your decision.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>>
Sent: Monday, August 9, 2021 8:52:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:36:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why 
this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I'm curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elton, Norman N mailto:wne...@wm.edu>>
Sent: Monday, August 9, 2021 8:18:37 AM
To:

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

Lets not go down this rabbit hole again.

I was directly answering the question. If you choose to use certificates that 
violate CA policies and risk revocation, and ask users to configure their own 
supplicants, putting their credentials at high risk, that is your decision.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of James Andrewartha 

Sent: Monday, August 9, 2021 8:52:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread James Andrewartha

Which is great and I agree with but Android went and made it really hard to 
onboard a private CA and so now people are going back to public certs for EAP 
to lower their support burden.



Sent from my Galaxy



 Original message 
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 9/8/21 20:42 (GMT+08:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root


You don't often get email from wne...@wm.edu. Learn why this is 
important


>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from wne...@wm.edu. Learn why this is 
important


To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root




You don't often get email from jmill...@fandm.edu. Learn why this is 
important


We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

A public CA issues certificates for web server authentication (amongst others 
like code signing and S/MIME).

An EAP server is not a web server and has a designated usage assigned (which 
public CAs will not issue). EAP also does not follow traditional PKIX 
validation models due to the way the protocol operates.

Any public CA web server certificate used for EAP could be revoked for misuse 
at any time.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:36:08 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.



I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.



Thanks!



Norman



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.



Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.



Tim







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Elton, Norman N

>> Technically, you're not even supposed to use the certificates issued from a 
>> public CA for EAP as it's a violation of multiple policies.

I’m curious what those are. I thought it was fairly standard practice to use 
publicly-signed certificates on the server side, with privately-signed 
certificates on the clients.

Thanks!

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:31 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.



Thanks,

Jonathan Miller

Senior Network Analyst

Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

EAP server certs from a PKI you (or a partner like SecureW2) control are the 
best practice.

Technically, you're not even supposed to use the certificates issued from a 
public CA for EAP as it's a violation of multiple policies.

Tim



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Elton, Norman N 

Sent: Monday, August 9, 2021 8:18:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from wne...@wm.edu. Learn why this is 
important

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.



We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.



Thanks!



Norman





Norman Elton

Director

W IT Infrastructure

wne...@wm.edu / 757-221-7790







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)







From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root



You don't often get email from jmill...@fandm.edu. Learn why this is 
important

We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.



We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.



The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.



This leads me to the following questions:

1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?

2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?



Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.



Thanks,

Jonathan Miller

Senior Network Analyst

Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Elton, Norman N

To piggyback on Jonathan’s question … he mentions moving the server-side 
certificates to a private CA. Is this common? We’re using SecureW2 to configure 
an EAP-TLS deployment, so it should be trivial to configure the client to trust 
our private CA.

We currently configure clients to trust server certificates coming from 
InCommon. I’ve had a long-simmering concern that if, for whatever reason, we 
can’t use InCommon one day … that means we have to reconfigure all our 
cliients. One solution, of course, is to trust multiple root public CAs. I 
suppose an alternative is to move to a private CA on the server-side.

Thanks!

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu / 757-221-7790



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: Monday, August 9, 2021 at 8:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root
You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu. Learn why this is 
important
We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?
2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?

Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Tim Cappalli

You should never use different EAP server certificates across a RADIUS cluster. 
Use the same cert across all nodes (in this case take the other cert with the 
longest expiry and upload it to all the nodes in the CPPM cluster)



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Jonathan Miller 

Sent: Monday, August 9, 2021 7:32:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

You don't often get email from jmill...@fandm.edu. Learn why this is 
important
We are currently using publicly signed certificates for our eduroam access on a 
cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of 
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our expiring 
certificate, I noticed that it is showing that is has a root of Sectigo, where 
it was previously Comodo.  The certificate that is not expiring has a root CA 
of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on different 
members of our ClearPass cluster?  Would we expect to see client issues?
2.  If it's not a problem to do this, can I simply add the Root CA for Sectigo 
to our eduroam CAT configuration, or is there only one Root CA allowed?

Any other advice is appreciated.  I understand that most institutions are 
moving to privately issued certificates in order to get control of these 
certificate chain issues, but we haven't quite gotten there yet.  Our plan to 
properly onboard clients is to use an SSID with a captive portal to direct them 
to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

eduroam CAT Config/Cert Renewal with New Root

2021-08-09 Thread Jonathan Miller

We are currently using publicly signed certificates for our eduroam access
on a cluster of 2 ClearPass servers.

We are in a situation where one of our certs will be expiring in October of
this year, while the other is good until June of next year.

The certificate are issued through InCommon, and when I renewed our
expiring certificate, I noticed that it is showing that is has a root of
Sectigo, where it was previously Comodo.  The certificate that is not
expiring has a root CA of Comodo.

This leads me to the following questions:
1.  Is it advisable to run certificates with different Root CAs on
different members of our ClearPass cluster?  Would we expect to see client
issues?
2.  If it's not a problem to do this, can I simply add the Root CA for
Sectigo to our eduroam CAT configuration, or is there only one Root CA
allowed?

Any other advice is appreciated.  I understand that most institutions are
moving to privately issued certificates in order to get control of these
certificate chain issues, but we haven't quite gotten there yet.  Our plan
to properly onboard clients is to use an SSID with a captive portal to
direct them to the eduroam CAT download.

Thanks,

Jonathan Miller
Senior Network Analyst
Franklin and Marshall College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Ekahau Update

RE: Ekahau Update

Ekahau Update

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

RE: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root

eduroam CAT Config/Cert Renewal with New Root

27 matches

Site Navigation

Mail list logo

Footer information