Oh, whoops! I'm sorry, I should've mentioned this. We got the SANs because,
due to the way our certs are issued, there is no additional cost. Then we
use it for the web interface on the servers also.
The eduroam.uah.edu value is used as you describe. Technically that's the
only one you need. But
Resending without the signature. Sorry.
That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values
are useless to a client.
Wildcard is never recommended for RADIUS in any circumstance. You can get a
domain validated certificate for $19.99 a year.
From: The EDUCAUSE
That’s a RADIUS platform issue, not the protocol itself. Multiple SAN values
are useless to a client.
Wildcard is never recommended for RADIUS in any circumstance. You can get a
domain validated certificate for $19.99 a year.
From: The EDUCAUSE Wireless Issues Constituent Group
Tim,
For Cisco ISE, it validates that the host name matches the CN or SAN. So you
can't always do that.
But you could do something like *.radius.univ.edu as a SAN and call them
radius01.radius.univ.edu which would match.
Sent from my iPhone
> On Feb 3, 2017, at 2:45 PM, Cappalli, Tim
There is a good blog by Aaron Woland on this. If memory serves, wildcard in CN
isn't feasible, but windows clients will tolerate a wildcard in the SAN field.
We lost that battle long ago…… I think there was some a best practice
guide that won over our networking request. In the ends the Identity group
got to what we wanted with a bit more cost. The other one we lost was
responding with a fail for invalid username instead of no
response/timeout. L
For an EAP server certficiate, you do not need SANs for every server. You can
do something generic like “network-login.domain.edu” and put that cert on every
box.
The SANs will never be referenced and will just add significant cost.
From: The EDUCAUSE Wireless Issues Constituent Group
Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu,
acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert.
On Fri, Feb 3, 2017 at 15:19 Mike Atkins wrote:
> Our identity management group runs our Microsoft NPS servers and I recall
> them
Or just install the same server cert for radius requests on all radius
servers. This is being served via EAP - the client's supplicant can
never automatically verify the host it is coming from anyway
On Fri, Feb 3, 2017 at 1:19 PM Mike Atkins wrote:
> Our identity
Our identity management group runs our Microsoft NPS servers and I recall
them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu,
NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This
keeps your client from having to trust each NPS server.
*From:*
We fought this for a while. A wild card will never work for Windows clients
as they require the common name to also be a service alt name. A wild card
won't meet this.
On Fri, Feb 3, 2017 at 14:32 Brian Helman wrote:
> I’m setting up a RADIUS test server (Server 2012 R2
We could never get a wildcard cert to work with our 2012 NPS. Some devices
didn't even like the Go Daddy cert we tried to use. Ended up having to use a
Thawte cert with the FQDN of the NPS server as the common name.
Rick DeCaro
(636)230-1911
I'm setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our
configurations in place to join eduroam. Yes, I can get a temporary cert (or
beg digicert for one, since I don't think they have an option), but we tried to
use a wildcard cert that we usually use for testing of services.
I agree with the others saying this sounds like host authentication rather
than user.
That said, we decided to explicitly allow host authentication locally
(whitelisted - we otherwise require a roaming-compatible outer identity
format). It allows our computers to connect while users are logged
Faculty and students love Eduroam because of the point Kevin make. They love
the transparency of working on networks at other universities in the state and
world wide
doyle
Doyle Friskney Ed.D.
University of Kentucky
Information Technology Services
118 Hardymon Building
Chief Technology
Bruce — Something to think about, your distance students being on Eduroam would
give them roaming access at colleges and universities near their hometown.
Might be more valuable in a distance-heavy campus.
--
Kevin Davis
Deputy CIO & Director, Core Services
Davidson College ITS
(704) 894-2405
Apologies for cross-postings. Please send it to interested colleagues and students. Thanks!Call for Submissions!**International Conference on Information Society (i-Society 2017)Technical Co-Sponsored by IEEE UK/RI
Yes, we have re-flashed as well but we'd rather not use resources to keep
going out to do so.
We feel there may be a HW issue and are working w/Cisco EFA on further
investigation.
On Fri, Jan 20, 2017 at 1:07 PM, Joachim Tingvold
wrote:
> On 19 Jan 2017, at 21:46,
Oops.
I stand corrected. I did not pay close attention because it just works in our
ClearPass environment.
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Toivo Voll
Andmost of our FTE are distance students that would likely never use EDUROAM.
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Thursday, February
20 matches
Mail list logo