Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II
Posts: 54
Registered: ‎01-16-2013
Which "Popular" certificate authority (CA) included in most devices

We're starting a project to deploy Clearpass as our primary campus AAA and we have the opportunity to use a different CA from the one we normally use. (Globalsign)

 

Is there a CA that is included in most popular Mobile and laptop OSes where we wouldn't have to burden most of the user population to onboard root cert chains from the CAs?  MacOS, Windows, Apple iOS, and Android make up 95% of the devices, so finding a CA that's included with all of these would get us most of the way to the goal.

 

thanks

mike

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Which "Popular" certificate authority (CA) included in most devices
Nearly every major commercial provider is included.

Are you having issues with Globalsign?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I
Posts: 274
Registered: ‎04-04-2014
Re: Which "Popular" certificate authority (CA) included in most devices

Entrust is, unless your client mix includes very old Windows installations.  Otherwise, godaddy is pretty well represented even on old things.

 

But, since you should probably be using profiles/scripts to install settings to turn on CN validation and CA lockdown when using public CAs, once you have gone that far, adding root cert installation might not be that much more work.

 

Contributor II
Posts: 54
Registered: ‎01-16-2013
Re: Which "Popular" certificate authority (CA) included in most devices

Globalsign doesn't list Apple IOS as supported (https://www.globalsign.com/en/ssl-information-center/certificate-authority-root/) and our inital testing shows our Globalsign cert as Untrusted on IOS10

Mike Davis
Network Engineer
University of Delaware
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Which "Popular" certificate authority (CA) included in most devices
Are you using a tunneled EAP method? (PEAPv0/EAP-MSCHAPV2, EAP-TTLS, etc)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 54
Registered: ‎01-16-2013
Re: Which "Popular" certificate authority (CA) included in most devices

Yes, PEAP MSCHAPv2

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010
Re: Which "Popular" certificate authority (CA) included in most devices
[ Edited ]

GlobalSign's CA is inlucded in iOS and Mac OS X.

 

Keep in mind that certificate messages during initial authentication to an 802.1X network are not system certificate trust related, they are to prove the server identity to the user connecting. Server certificate validation is a normal component of tunneled EAP methods.

 

The only ways to avoid that message on devices are:

1) Move to EAP-TLS (ideal)

2) Offer a configuration tool like QuickConnect to users

3) Push down configuration on managed devices (GPO or Profile Manager)

4) Manually configure supplicants.

 

If you're going to Atmosphere, we'll be discussing this in the Deploying Device and Server Certificates session.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: