You should never use different EAP server certificates across a RADIUS cluster. Use the same cert across all nodes (in this case take the other cert with the longest expiry and upload it to all the nodes in the CPPM cluster)
________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Miller <jmill...@fandm.edu> Sent: Monday, August 9, 2021 7:32:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from jmill...@fandm.edu. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> We are currently using publicly signed certificates for our eduroam access on a cluster of 2 ClearPass servers. We are in a situation where one of our certs will be expiring in October of this year, while the other is good until June of next year. The certificate are issued through InCommon, and when I renewed our expiring certificate, I noticed that it is showing that is has a root of Sectigo, where it was previously Comodo. The certificate that is not expiring has a root CA of Comodo. This leads me to the following questions: 1. Is it advisable to run certificates with different Root CAs on different members of our ClearPass cluster? Would we expect to see client issues? 2. If it's not a problem to do this, can I simply add the Root CA for Sectigo to our eduroam CAT configuration, or is there only one Root CA allowed? Any other advice is appreciated. I understand that most institutions are moving to privately issued certificates in order to get control of these certificate chain issues, but we haven't quite gotten there yet. Our plan to properly onboard clients is to use an SSID with a captive portal to direct them to the eduroam CAT download. Thanks, Jonathan Miller Senior Network Analyst Franklin and Marshall College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce3ae3dfe2509475823b308d95b296482%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641055620504986%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DZKD6Ej%2FLOFPfEtUJ61yxGlsxNzNVguZATohc3O0AIU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community