All, I know the subject has been broached on the list a few times before, but I’m looking for informal opinions/survey about how you are deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard users, but recently went through a difficult renewal period to replace our expiring certificate. As we had configured all of our clients to “verify the server certificate” (as you should from a security perspective), we found that iOS/MacOS and Android clients did not take kindly to a new certificate being presented. This resulted in quite a few disgruntled users who couldn’t connect to WiFi as well as a shell-shocked Service Desk. To help prevent this in the future (and because we are moving to a new Radius infrastructure), what is the consensus on the following strategies:
Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with "verify server certificate" enabled Option 2: Removing all traces of “verify server certificate” from OnBoard configuration and use 2-year certs from CAs Option 3: Use 2-year CA certificates, enable “verify server certificates” and educate/prepare every two years for connection issues. Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS. Opinions? Craig Simons Network Operations Manager Simon Fraser University | Strand Hall 8888 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices <http://www.sfu.ca/itservices> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.