Security

So we have our RADIUS certificate expiring for the first time and I've looked around and can't find any exact information on this question within the community. I talked to support and they gave me an answer that it will be removed, but they seemed vague on there as they were hesitant to respond and I'm wondering if they might not have understood the question.

 

So my questions are around the replacement of that certificate. Please understand I'm unable to find a way to just renew the existing and my cert provider says they can only issue a new one and can't do a renewal.

 

1. What happens to the old RADIUS certificate once we install a new certificate?
2. Does it stay in the system till expiration or does the new certificate overwrite the existing certificate?
3. If #1 above answer is it is deleted, how do we push the new certificate to clients profiles before we load it to prevent or limit the clients from trying to connect back to the network.

These questions are mostly related to our MacOS clients. For Windows and Chromebooks we have management control and have either preloaded the certificates to them or have 'Certificate Server Validation' turned off.

How have the non-managed clients’ supplicants been configured?

Also, you should always do EAP server certificate validation otherwise you’re putting credentials at risk.

Tim,

 

The non-managed clients, BYOD, authenticate using their AD crendentials and accept the Certificate that is presented. 

 

I understand that for EAP we should be, but we had issues on our initial installation. With summer approaching, we are going to be doing more testing to change this back to validate the certificate next year.

The users with unmanaged/unconfigured supplicants be prompted to accept the new certificate.

Tim, appreciate you responding.

 

So, I'm not sure if you answered my original questions. Does that mean the old certificate will remain in the system and can continue to be used till its expiration or as soon as I load the new cert, the old one will be removed?

The EAP server certiticate is not stored on most clients. The clients will have a trust for the common name and issuer of the certificate. If you change the certificate and it has a different common name or issuer, the user will receive a prompt and when accepted, the existing trust will be replaced.