Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Frequent Contributor I

Which "Popular" certificate authority (CA) included in most devices

We're starting a project to deploy Clearpass as our primary campus AAA and we have the opportunity to use a different CA from the one we normally use. (Globalsign)

 

Is there a CA that is included in most popular Mobile and laptop OSes where we wouldn't have to burden most of the user population to onboard root cert chains from the CAs?  MacOS, Windows, Apple iOS, and Android make up 95% of the devices, so finding a CA that's included with all of these would get us most of the way to the goal.

 

thanks

mike

 

 

Mike Davis
Network Engineer
University of Delaware
34 REPLIES
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Nearly every major commercial provider is included.

Are you having issues with Globalsign?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

Entrust is, unless your client mix includes very old Windows installations.  Otherwise, godaddy is pretty well represented even on old things.

 

But, since you should probably be using profiles/scripts to install settings to turn on CN validation and CA lockdown when using public CAs, once you have gone that far, adding root cert installation might not be that much more work.

 

Frequent Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

Globalsign doesn't list Apple IOS as supported (https://www.globalsign.com/en/ssl-information-center/certificate-authority-root/) and our inital testing shows our Globalsign cert as Untrusted on IOS10

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Are you using a tunneled EAP method? (PEAPv0/EAP-MSCHAPV2, EAP-TTLS, etc)

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

Yes, PEAP MSCHAPv2

 

 

Mike Davis
Network Engineer
University of Delaware
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

GlobalSign's CA is inlucded in iOS and Mac OS X.

 

Keep in mind that certificate messages during initial authentication to an 802.1X network are not system certificate trust related, they are to prove the server identity to the user connecting. Server certificate validation is a normal component of tunneled EAP methods.

 

The only ways to avoid that message on devices are:

1) Move to EAP-TLS (ideal)

2) Offer a configuration tool like QuickConnect to users

3) Push down configuration on managed devices (GPO or Profile Manager)

4) Manually configure supplicants.

 

If you're going to Atmosphere, we'll be discussing this in the Deploying Device and Server Certificates session.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Which "Popular" certificate authority (CA) included in most devices

We use digicert and it works for all the devices that you have mentioned above

Re: Which "Popular" certificate authority (CA) included in most devices

We use Comodo and don't have any issues
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

If you want to do you authentication on a secure way, you should provision a wireless/wired profile on the clients and then the vendor of the root CA doesn't mather. If you don't do this, clients will need to accept the certificate provided by the radius. I always happens, even if you use a trusted global root CA. Hackers can easy setup a wireless network with the same ssid as yours and when users are prompted to accept the bad certificate they definately will agree and share their hashed password. With the wireless profile, the device won't prompt to accept the radius cert and will not share the credentials with bad people. At our university we publish the eduroam cat tool for provisiong on a captive portal.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: