When the supplicant is properly configured, it is not dependent on an
individual leaf certificate and will not be impacted by the renewal of the EAP
server certificate.
tim
From: The EDUCAUSE Wireless Issues Community Group Listserv
Date: Friday, February 7, 2020 at 1:42 PM
To:
If you just close the Home app while the Home/Chromecast is attempting to
connect, it will connect successfully. Wait about 60 seconds before opening the
Home app again.
From: The EDUCAUSE Wireless Issues Community Group Listserv
Date: Saturday, December 14, 2019 at 12:11 PM
To:
An EAP server certificate from a PKI in your control is always the recommended
path. A public CA-signed EAP server certificate should be a last resort.
tim
From: The EDUCAUSE Wireless Issues Community Group Listserv
on behalf of "McClintic, Thomas"
Reply-To: The EDUCAUSE Wireless Issues
Just a clarification. Android 10 generates a MAC address per ESSID for the
lifetime of the OS instance. It does not change daily.
From: The EDUCAUSE Wireless Issues Community Group Listserv
on behalf of Felix Windt
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv
Date:
PEAP is not standardized and was not designed to be used outside a Windows
AD-joined, GPO controlled environment.
I'm hoping Google's changes (very welcome IMO) and continued restrictions on
Apple platforms will steer people away from legacy, deprecated protocols/EAP
methods.
tim
On
nd equally secure to a supplicant utility, so we also support
that avenue for configuration. However, if you don't have a public-CA-signed
certificate, they display the words "Not Trusted" in red bold letters during
the certificate verification process.
On Tue, Jul 31, 2018 at 5:30 PM
Just curious, for those running a supplicant configuration utility, why are you
using a public CA-signed EAP server certificate?
On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Charles Rumford" wrote:
On 07/31/2018 04:18 PM, Michael Dickson
Feel free to unicast me any questions as well.
tim
TIM CAPPALLI | Aruba Security
On 6/4/18, 3:46 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Kenny, Eric" wrote:
Hi Patrick,
We are using the guest portal for self-registered and sponsored guest
Hector,
Something definitely seems amiss then. I’ll take a look at the case.
A maximum of 1 access license is consumed per MAC address, regardless of
multiple sessions or lack of accounting stop.
Thanks for the followup.
tim
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
learPass - not so clear anymore
Authentication might not stop, but what about access to the UI or the ability
to make config changes?
-H
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba
Security)
Sent: T
Hector,
During a roam event where a new session is created, a stop should also be
generated by the NAD, so this should be a non-issue.
Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as
long as you have at least 100 access licenses installed, TACACS+ usage is
Kind of makes sense though doesn’t it? Why would you want to allow a device
unique private key to be used without requiring a device unlock?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of "Turner, Ryan H"
For the Aruba AP-303H, there is now a bracket that allows for two keystone
pass-through connectors on the bottom.
AP-303H-MNTW (JY688A)
On 1/23/18, 4:12 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Richard Nedwich"
Just curious. Why aren't you using the same EAP server certificate across all
of your RADIUS servers?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Linchuan Yang
Reply-To: The EDUCAUSE Wireless
What are you using for a AAA solution? ClearPass fully supports per-device PSK
with Cisco WLC’s with full self-registration.
tim
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Jason Cook
William – Very interested in this:
>> The wireless“eduroam” service is not available at the university, or for
>> university members at other institutions. Current interpretation of the laws
>> and policies surrounding use of state resources is that eduroam use is
>> prohibited on university
William – Very interested in this:
>> The wireless“eduroam” service is not available at the university, or for
>> university members at other institutions. Current interpretation of the laws
>> and policies surrounding use of state resources is that eduroam use is
>> prohibited on
ClearPass will auto-generate an internal WebAuth request by default after a
device registration.
Create a service to accept this request and issue a disconnect message to the
controller to force a reauthentication.
See these screenshots for the service config, it’s very basic. You only need
Aruba ClearPass Onboard also fully supports Android Oreo.
On 8/22/17, 6:16 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Richard Nedwich" wrote:
Hi Bruce,
Yes, our Wizard
ireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk
E Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment
I’m curious abou
I’m curious about “…certs may give a false sense of security and identity”. Can
you elaborate on that?
Tim
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Thomas Carter
Reply-To: The EDUCAUSE Wireless
It really depends on how the supplicant is configured. If a configuration tool
was used, it may have locked the supplicant to a specific cert and disallowed
the user to approve exceptions.
On 7/4/17, 11:34 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Julian Y
Can you elaborate on this comment?
“whereas with eduroam we were kind of locked-in to the PEAP model.”
Eduroam is EAP agnostic.
On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Curtis K. Larsen"
Ben,
You can put a user into a restricted headless “provisioning” role temporarily
which would allow them to connect to your headless network and configure the
device. We can write policy to check the device registration database to ensure
that they actually have a registered headless device
Jason – Are the tablets managed by an MDM/EMM?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of "Osborne, Bruce W (Network
Operations)"
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Also keep in mind that the registration feature isn’t just for AirGroup. Many
of our enterprise and edu customers leverage it as headless device self-service
registration for wired and wireless (Chromecasts, AppleTV, printers, game
consoles, etc). Users can register and manage all of their
As of 10.12.3, it does not seem to be prompting users to store the certificate
anymore. Still trying to track down what changed.
On 3/28/17, 3:27 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Julian Y Koh"
Lee, so I assume you’re not supporting mDNS and DLNA based services?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of "Bucklaew, Jerry"
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
One trick with configuring clients: You can configure the client with common
name validation and then validate the root CA. When you have to renew the
certificate, users *shouldn’t* receive any messages because the validation
information in the supplicant remains the same.
The ideal solution
Couple of things
- Wildcard and EV certificates should never be used for RADIUS
- Keep in mind that EAP server certificate trust is different than system
level certificate trust.
o Even with a public certificate, you will still receive a certificate
prompt on initial
An interesting workflow for captive portal is to use locally significant IP
space on your controllers for pre-authentication states, then leverage a
server initiated workflow that disconnects the user after successful
authentication and they reconnect into their final VLAN/IP space/role.
An interesting workflow for captive portal is to use locally significant IP
space on your controllers for pre-authentication states, then leverage a server
initiated workflow that disconnects the user after successful authentication
and they reconnect into their final VLAN/IP space/role.
Have you considered using eduroam as your primary 802.1X SSID?
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
Sent: Tuesday, February 21, 2017 15:43
To:
Yes, you can easily support local machine authentications on eduroam by
configuring service rules that check for BEGINS_WITH host\ and ENDS_WITH
.domain.edu. I deployed this at a university in a previous life. Worked well.
Even if there was some way to support machine authentication at
certificate for several years on multiple servers without any SANs.
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Cappalli, Tim (Aruba) [mailto:t...@hpe
matches the CN or SAN. So you
can't always do that.
But you could do something like *.radius.univ.edu<http://radius.univ.edu> as a
SAN and call them radius01.radius.univ.edu<http://radius01.radius.univ.edu>
which would match.
Sent from my iPhone
On Feb 3, 2017, at 2:45 PM, C
always do that.
But you could do something like *.radius.univ.edu <http://radius.univ.edu> as
a SAN and call them radius01.radius.univ.edu <http://radius01.radius.univ.edu>
which would match.
Sent from my iPhone
On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe
For an EAP server certficiate, you do not need SANs for every server. You can
do something generic like “network-login.domain.edu” and put that cert on every
box.
The SANs will never be referenced and will just add significant cost.
From: The EDUCAUSE Wireless Issues Constituent Group
Sounds like the client is configured for computer authentication, not user. You
can change this in the supplicant configuration.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
Sent: Wednesday, February 1,
You could return a different session-timeout value based on policy in your AAA
server.
Device Category: Game Console
Device OS Family: Microsoft
Sesssion-Timeout: X
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf
Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Cappalli, Tim (Aruba)
Sent: Wednesday, November 30, 2016 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Cappalli, Tim
(Aruba)
Sent: Wednesday, November 30, 2016 8:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] support of L2 peering devices?
Tim,
Chromeca
Tim,
Chromecast will work with the AirGroup service Googlecast enabled and with
drop broadcast/multicast enabled on the VAP.
This can work in large subnets or multiple smaller subnets.
Tim
Aruba ClearPass Team
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
44 matches
Mail list logo