We use our own internal certificate authority. We WERE using a public CA. Ultimately we decided that if used our own CA, we were in total control, and not subject to changes and policies made on a public CA. Since people have to onboard with cloudpath to access our secure SSID, we can load the private CA chains, and there are no problems. Plus, its free to generate certificates. I'd suggest that route. We had issues generating radius certificates that might change an intermediate from one issuance to another that could cause issues with clients. Hated the thought of a D-Day when we update our new externally signed certificates, requiring everyone to onboard again.
Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Wang Sent: Wednesday, September 24, 2014 4:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x Certificates for RADIUS I'm curious which CA's you are using for your RADIUS servers for your 802.1x implementations. We are looking to renew our cert (coming up on expiration), which is signed by one of the Thawte CA's that is being deprecated. At the time we selected that CA because it was widely supported natively or was pre-installed in nearly all platforms / operating systems we see on our campus. Our two main concerns are compatibility (we've seen over 200k distinct devices authenticated onto our 802.1x WiFi over the past 6 months) and longevity (seems most only offer up to 3 years). After just a cursory check, it looks like a lot of sites dealing with financial transactions use Verisign, while some of the popular social media sites use DigiCert. Google has their own intermediate CA issued by GeoTrust. I would expect any of those would be very widely supported, but am curious what others' experiences are. Thanks, Jason ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
