I'm pretty sure you will need the Private key. On Mon, Mar 20, 2017 at 12:34 PM, Eric Glinsky < [email protected]> wrote:
> Thanks for the info, guys! It seems that “it is what it is” after all. > > > > Still haven’t had a chance to try the third-party CA with Win7 to decide > if it’s worth keeping. > > > > From what’s been discussed, I should be able to use the same cert across > multiple RADIUS servers. No luck so far. On our first RADIUS server, I set > up authentication with a cert issued to the host’s FQDN, with the domain CA > (which also happens to be the RADIUS server) as the issuer. I tried > exporting the cert from the original RADIUS server and importing it to the > secondary server, but clients fail to authenticate. Any suggestions, such > as file format, also exporting the root cert or not (with or without > private key), etc. would be appreciated. Please forgive me if I’m totally > off base since I have very limited experience with certs! J > > > > > > *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected]] *On Behalf Of *Kevin Fitzgerald > *Sent:* Monday, March 13, 2017 3:15 PM > *To:* [email protected] > *Subject:* Re: [WIRELESS-LAN] Certificate for 802.1x > > > > Hi Eric, > > > > From what I understand, the reason that even 3rd party certificates fail > is that the clients do not have a trusted radius store as they do with > SSL. That is to say, by default, most clients will not trust any radius > certificate regardless of the issuer. > > > > Some vendors provide an on-boarding module that distributes the trust > parameters to the client as a workaround to the above. > > > > Kevin > > > > On Mon, Mar 13, 2017 at 2:10 PM, Eric Glinsky < > [email protected]> wrote: > > Hi everyone, > > > > I’m looking for thoughts/opinions/experiences on 802.1x and security > certificates. I dug through the archives from a few years ago, and from > what I gather it isn’t even possible to use a 3rd-party cert so devices > (iOS, OS X, Windows, Android) trust it automatically, but maybe someone has > succeeded with this by now? If so, which CA would you recommend? > > > > For us, our GoDaddy wildcard cert failed to authenticate clients, so we > went with DigiCert. That isn’t trusted by clients by default, offering no > benefit over our domain-generated cert, with which all Apple and Windows > 8/10 devices must be told to “trust,” Windows 7 fails to authenticate > entirely, and Android just works. We have a Cisco WLC and Windows NPS. > > > > Thanks for any pointers you can give! > > > > - Eric > > This e-mail message is intended only for the person or entity to which it > is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any > unauthorized review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender and destroy all > copies of the original message. If you are the intended recipient but do > not wish to receive communications through this medium, please so advise > the sender immediately. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > > > > > -- > > Kevin Fitzgerald | Project/Program Specialist > University of Arkansas at Little Rock | Information Technology Services > 501.916.5019 <(501)%20916-5019> | [email protected] | ualr.edu > > > > Reminder: IT Services will never ask for your password over the phone or > in an email. Always be suspicious of requests for personal information that > comes via email, even from known contacts. For more information or to > report suspicious email, visit http://ualr.edu/itservices/security/ > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > This e-mail message is intended only for the person or entity to which it > is addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any > unauthorized review, use, disclosure or distribution is prohibited. If you > are not the intended recipient, please contact the sender and destroy all > copies of the original message. If you are the intended recipient but do > not wish to receive communications through this medium, please so advise > the sender immediately. This e-mail message is intended only for the person > or entity to which it is addressed and may contain CONFIDENTIAL or > PRIVILEGED material. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender and destroy all copies of the original message. If you > are the intended recipient but do not wish to receive communications > through this medium, please so advise the sender immediately. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
