Security

Our CPPM Radius certificate is getting ready to expire so we're working on renewing it. The question that I've run into, though, is that the current certificate is signed by the OnBoard intermediate CA, in turn signed by the AD CA. Is there a particular need for the Radius cert to be signed by the internal intermediate CA, or would it be fine to use a cert signed directly by the AD CA?

The EAP server certificate must be trusted by the clients. How are the supplicants configured?

I'll have to double check, but I believe at the moment it's basically Windows default. I'm working in the direction of enforced dot1x via wire and wireless, and would like to get group policies defined for the windows clients to make it transparent to enterprise devices. I'm testing with my machine, and do periodically get the 'Windows can't verify the server's identity. If you expect to find %1 in this location..." message.

The EAP server certificate can be issued from wherever you choose, as long as the supplicants are appropriately configured.

Thank you for that. I just wanted to verify there wasn't something I was missing. I've been bit by changing radius certificates once before and wanted to make sure there wasn't a gotcha I was missing with OnBoard.