On Sep 24, 2014, at 4:14 PM, Turner, Ryan H <rhtur...@email.unc.edu> wrote:
> We use our own internal certificate authority. We WERE using a public CA. > Ultimately we decided that if used our own CA, we were in total control, and > not subject to changes and policies made on a public CA. We also moved to our own CA this summer, with a long expiration time to prevent “cert renewal d-day”. We’re an all-Apple campus, so we need to trust all certs and CAs in order for wifi to work correctly. Since we're on-boarding anyway, no real reason to use a public CA. Also, the FreeRADIUS documentation recommends AGAINST a public CA. The reason being that when your clients mark the CA as trusted, they now trust any cert signed by the CA. If you use a public CA, then anyone with a cert signed by that CA can impersonate your radius server and get away with it because they’re signed by the trusted CA. With a roll-your-own, you control which certs get signed, so no impersonation. We leaned heavily on the eduroam recommendations for cert extensions, names, options, etc: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations So far, so good, but we haven’t rolled out to a lot of non-apple devices (yet). Jason -- Jason Healy | jhe...@logn.net | http://www.logn.net/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
