EAP server certs from a PKI you (or a partner like SecureW2) control are the best practice.
Technically, you're not even supposed to use the certificates issued from a public CA for EAP as it's a violation of multiple policies. Tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Elton, Norman N <wne...@wm.edu> Sent: Monday, August 9, 2021 8:18:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from wne...@wm.edu. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> To piggyback on Jonathan’s question … he mentions moving the server-side certificates to a private CA. Is this common? We’re using SecureW2 to configure an EAP-TLS deployment, so it should be trivial to configure the client to trust our private CA. We currently configure clients to trust server certificates coming from InCommon. I’ve had a long-simmering concern that if, for whatever reason, we can’t use InCommon one day … that means we have to reconfigure all our cliients. One solution, of course, is to trust multiple root public CAs. I suppose an alternative is to move to a private CA on the server-side. Thanks! Norman Norman Elton Director W&M IT Infrastructure wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790 From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu> Date: Monday, August 9, 2021 at 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You should never use different EAP server certificates across a RADIUS cluster. Use the same cert across all nodes (in this case take the other cert with the longest expiry and upload it to all the nodes in the CPPM cluster) ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Jonathan Miller <jmill...@fandm.edu> Sent: Monday, August 9, 2021 7:32:19 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] eduroam CAT Config/Cert Renewal with New Root You don't often get email from jmill...@fandm.edu. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> We are currently using publicly signed certificates for our eduroam access on a cluster of 2 ClearPass servers. We are in a situation where one of our certs will be expiring in October of this year, while the other is good until June of next year. The certificate are issued through InCommon, and when I renewed our expiring certificate, I noticed that it is showing that is has a root of Sectigo, where it was previously Comodo. The certificate that is not expiring has a root CA of Comodo. This leads me to the following questions: 1. Is it advisable to run certificates with different Root CAs on different members of our ClearPass cluster? Would we expect to see client issues? 2. If it's not a problem to do this, can I simply add the Root CA for Sectigo to our eduroam CAT configuration, or is there only one Root CA allowed? Any other advice is appreciated. I understand that most institutions are moving to privately issued certificates in order to get control of these certificate chain issues, but we haven't quite gotten there yet. Our plan to properly onboard clients is to use an SSID with a captive portal to direct them to the eduroam CAT download. Thanks, Jonathan Miller Senior Network Analyst Franklin and Marshall College ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C78bfb0cfe8144d3728f408d95b2fd24d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641083242437605%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DzBifpIe8ILZYvzbMR96aftTLyUacSZJiG%2F%2FI4iczro%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C78bfb0cfe8144d3728f408d95b2fd24d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641083242447562%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9AUHXZ%2BEIJKWpvWV9LllIOKCUD3M5H4SqqBPYuVoquk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C78bfb0cfe8144d3728f408d95b2fd24d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637641083242447562%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9AUHXZ%2BEIJKWpvWV9LllIOKCUD3M5H4SqqBPYuVoquk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community