Mike, EAP-TLS is great if you can deal with the PKI! (That's the only method that I use at the moment, but we haven't deployed it campus wide yet) No password renewal issue, no phishing issue, available on most OSes, and great to handle the many devices that users bring on campus. If a device disappears, no need to renew your AD password, just revoke the cert of that device. One approach that I would like to implement at UTK is using MS-PKI. I have talked to the folks at CloudPath, and their Xpressconnect installer has a plug-in to integrate the distribution of certs using MS-PKI. We are most likely going to pilot this in January of February of 2012. Feel free to contact me if you want more info.
Y'all have a great new year BTW! Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org On Dec 30, 2011, at 10:47 AM, Mike King wrote: > We're getting ready to pilot a Cisco Office Extend environment. > > We're also debating the EAP type. > > We're considering using Certificate based (TLS). The end users in this > scenario would all be machines under our direct control, and all joined to > our active directory. We do have a CA that we've setup to issue some server > certificates, but we've never gone beyond that. This will be my first > personal experience with EAS-TLS. > > Anyone using EAP-TLS that would mind discussing it with me? > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
