Re: [WIRELESS-LAN] wild card certs and PEAP

Oh, whoops! I'm sorry, I should've mentioned this. We got the SANs because, due to the way our certs are issued, there is no additional cost. Then we use it for the web interface on the servers also. The eduroam.uah.edu value is used as you describe. Technically that's the only one you need. But

RE: [WIRELESS-LAN] wild card certs and PEAP

Resending without the signature. Sorry. That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values are useless to a client. Wildcard is never recommended for RADIUS in any circumstance. You can get a domain validated certificate for $19.99 a year. From: The EDUCAUSE

RE: [WIRELESS-LAN] wild card certs and PEAP

That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values are useless to a client. Wildcard is never recommended for RADIUS in any circumstance. You can get a domain validated certificate for $19.99 a year. From: The EDUCAUSE Wireless Issues Constituent Group

Re: [WIRELESS-LAN] wild card certs and PEAP

Tim, For Cisco ISE, it validates that the host name matches the CN or SAN. So you can't always do that. But you could do something like *.radius.univ.edu as a SAN and call them radius01.radius.univ.edu which would match. Sent from my iPhone > On Feb 3, 2017, at 2:45 PM, Cappalli, Tim

Re: [WIRELESS-LAN] wild card certs and PEAP

There is a good blog by Aaron Woland on this. If memory serves, wildcard in CN isn't feasible, but windows clients will tolerate a wildcard in the SAN field.

RE: [WIRELESS-LAN] wild card certs and PEAP

We lost that battle long ago…… I think there was some a best practice guide that won over our networking request. In the ends the Identity group got to what we wanted with a bit more cost. The other one we lost was responding with a fail for invalid username instead of no response/timeout. L

RE: [WIRELESS-LAN] wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group

Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. On Fri, Feb 3, 2017 at 15:19 Mike Atkins wrote: > Our identity management group runs our Microsoft NPS servers and I recall > them

Re: [WIRELESS-LAN] wild card certs and PEAP

Or just install the same server cert for radius requests on all radius servers. This is being served via EAP - the client's supplicant can never automatically verify the host it is coming from anyway On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins wrote: > Our identity

RE: [WIRELESS-LAN] wild card certs and PEAP

Our identity management group runs our Microsoft NPS servers and I recall them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps your client from having to trust each NPS server. *From:*

Re: [WIRELESS-LAN] wild card certs and PEAP

We fought this for a while. A wild card will never work for Windows clients as they require the common name to also be a service alt name. A wild card won't meet this. On Fri, Feb 3, 2017 at 14:32 Brian Helman wrote: > I’m setting up a RADIUS test server (Server 2012 R2

RE: wild card certs and PEAP

We could never get a wildcard cert to work with our 2012 NPS. Some devices didn't even like the Go Daddy cert we tried to use. Ended up having to use a Thawte cert with the FQDN of the NPS server as the common name. Rick DeCaro (636)230-1911

wild card certs and PEAP

I'm setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our configurations in place to join eduroam. Yes, I can get a temporary cert (or beg digicert for one, since I don't think they have an option), but we tried to use a wildcard cert that we usually use for testing of services.

Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

I agree with the others saying this sounds like host authentication rather than user. That said, we decided to explicitly allow host authentication locally (whitelisted - we otherwise require a roaming-compatible outer identity format). It allows our computers to connect while users are logged

RE: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Faculty and students love Eduroam because of the point Kevin make. They love the transparency of working on networks at other universities in the state and world wide doyle Doyle Friskney Ed.D. University of Kentucky Information Technology Services 118 Hardymon Building Chief Technology

Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Bruce — Something to think about, your distance students being on Eduroam would give them roaming access at colleges and universities near their hometown. Might be more valuable in a distance-heavy campus. -- Kevin Davis Deputy CIO & Director, Core Services Davidson College ITS (704) 894-2405

Call for Submissions: International Conference on Information Society (i-Society 2017) || July 17-19, 2017, Dublin, Ireland

Apologies for cross-postings. Please send it to interested colleagues and students. Thanks!Call for Submissions!**International Conference on Information Society (i-Society 2017)Technical Co-Sponsored by IEEE UK/RI

Re: [WIRELESS-LAN] Cisco AP 'flash' bug

Yes, we have re-flashed as well but we'd rather not use resources to keep going out to do so. We feel there may be a HW issue and are working w/Cisco EFA on further investigation. On Fri, Jan 20, 2017 at 1:07 PM, Joachim Tingvold wrote: > On 19 Jan 2017, at 21:46,

RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Oops. I stand corrected. I did not pay close attention because it just works in our ClearPass environment. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Toivo Voll

RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Andmost of our FTE are distance students that would likely never use EDUROAM. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, February