Jason, If you are terminating EAP on the Aruba controller, I believe you are correct. If you terminate EAP on the RADIUS server, you can use 2048 bit certs with the Aruba controller. That's what we are currently doing with 3.4.x.
For a Microsoft NPS server with a Microsoft CA, you need to use the RAS and IAS Server Template on the CA for the PEAP certificate. We have our own CA that is trusted by OnmiRoot to issue certificates for our domain. See http://www.verizonbusiness.com/Products/security/identity/omniroot/ for more information. In my experience, the Domain controllers template works too. We have configures our NPS servers as Read-only Domain Controllers to was the DC load of RADIUS. Each NPS Server is in its own AD site so AD clients do not use them as domain controllers. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -----Original Message----- From: Jason Healy [mailto:jhe...@logn.net] Sent: Wednesday, October 19, 2011 9:28 PM Subject: Re: Certs for EAP-PEAP On Oct 19, 2011, at 3:20 PM, John York wrote: > If that's true, I've been adding extra complexity to my work for years. I > guess "any valid cert" would also have to come from a CA the user's computer > accepts. Comments? This year we changed our EAP cert from a "real" cert (GeoTrust) to a self-signed dot1x cert with a "friendly" CN (instead of a DNS-like one). We had to break away from our old method because our cert provider only did 2048-bit certs, and after we got one issued we found out that our old (5.x) Aruba gear only deals with 1024-bits. Whoops. We're an all-mac shop, and there's been no change in the rest of the process for us. OS X requires that the cert be manually trusted for EAP (even if it's signed by a trusted root authority), so it's really no extra work to have a self-signed dot1x cert (we have a script that adds and trusts the cert that our users run). We also baked the "special sauce" windows OIDs into our cert and have gotten Windows 7 to trust it, though we've only set this up manually (I've tested it on exactly two clients, as that's how many windows boxes we have around here). We don't have AD, so I'm not sure how cert trust is supposed to work with MS infrastructure. Given the number of windows clients we have, this is fine for now. >From what I understand, XpressConnect makes all of this much easier, but >unfortunately I don't have the $$$ for that right now... Jason -- Jason Healy | jhe...@logn.net | http://www.logn.net/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
