Higher Education

We're starting a project to deploy Clearpass as our primary campus AAA and we have the opportunity to use a different CA from the one we normally use. (Globalsign)

 

Is there a CA that is included in most popular Mobile and laptop OSes where we wouldn't have to burden most of the user population to onboard root cert chains from the CAs?  MacOS, Windows, Apple iOS, and Android make up 95% of the devices, so finding a CA that's included with all of these would get us most of the way to the goal.

 

thanks

mike

 

 

Nearly every major commercial provider is included.

Are you having issues with Globalsign?

Globalsign doesn't list Apple IOS as supported (https://www.globalsign.com/en/ssl-information-center/certificate-authority-root/) and our inital testing shows our Globalsign cert as Untrusted on IOS10

Entrust is, unless your client mix includes very old Windows installations.  Otherwise, godaddy is pretty well represented even on old things.

 

But, since you should probably be using profiles/scripts to install settings to turn on CN validation and CA lockdown when using public CAs, once you have gone that far, adding root cert installation might not be that much more work.

 

Are you using a tunneled EAP method? (PEAPv0/EAP-MSCHAPV2, EAP-TTLS, etc)

Yes, PEAP MSCHAPv2

 

 

GlobalSign's CA is inlucded in iOS and Mac OS X.

 

Keep in mind that certificate messages during initial authentication to an 802.1X network are not system certificate trust related, they are to prove the server identity to the user connecting. Server certificate validation is a normal component of tunneled EAP methods.

 

The only ways to avoid that message on devices are:

1) Move to EAP-TLS (ideal)

2) Offer a configuration tool like QuickConnect to users

3) Push down configuration on managed devices (GPO or Profile Manager)

4) Manually configure supplicants.

 

If you're going to Atmosphere, we'll be discussing this in the Deploying Device and Server Certificates session.

We use digicert and it works for all the devices that you have mentioned above

We use Comodo and don't have any issues

If you want to do you authentication on a secure way, you should provision a wireless/wired profile on the clients and then the vendor of the root CA doesn't mather. If you don't do this, clients will need to accept the certificate provided by the radius. I always happens, even if you use a trusted global root CA. Hackers can easy setup a wireless network with the same ssid as yours and when users are prompted to accept the bad certificate they definately will agree and share their hashed password. With the wireless profile, the device won't prompt to accept the radius cert and will not share the credentials with bad people. At our university we publish the eduroam cat tool for provisiong on a captive portal.

Thanks for the feedback - anyway to take this conversation offline? Would like to know more about the profile since we are new to ClearPass.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Using legacy EAP methods is not recommended. You should explore EAP-TLS.

Off course EAP-TLS is better, but in a educational world where student laptops are not IT managed (all BYOD) you would need to use something like clearpass onboard and a few extra golden coins. Also you'll need some extra FTE to support it.

We’ve made significant changes to Onboard licensing to make it more feasible for education. I’m not sure I agree with the need to add an FTE. It should reduce support calls, not increase them.

 

I would also add that the certificate issued is not just for network authentication. It can be used with single sign on solutions to provide seameless, secure authentication to virtually unlimited services.

Can you tell me more about this - "Onboard licensing to make it more feasible for education"?

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Onboard is now licensed per user instead of per device.

And that still makes it quite expensive. With Access license we only need about 50% of our student population covered since they never come to the campus on the same time. With onboard license (already costs 50% more than a Access license) they count as long as their certificate hasn't expired so you need 100% covered at least. Also there's some student overlap at the beginning off a new year (old certs aren't expired yet and new students are coming in). So in practice you need the have like 120% of your average student count covered. You could solve this by renewing and expiring certs extremely fast, but do you want this?

Also as I mentioned you need some extra efford to support onboard with your users. Some setups on student laptops are quite challenging .

The issue I found with Onboard (which may have been fixed by now) is that after onboarding macOS devices, the user still has to do something – specifically, bounce the Wi-Fi adapter. This can be easily solved by packaging mac onboarding as an app instead of only using the .mobileconfig approach. FWIW, we found a much less expensive and more extensible option with a third-party. PM me if you want details.

- Ryan -

Was thinking the same thing - this could get very costly and out of hand quickly.

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Ryan – Asking a user to disconnect and reconnect once in four years as part of a guide process with clear instructions is much less painful than dealing with certificate trust and password changes with PEAP.

 

Also, most customers we have worked with do not want the user to have to download an app.

I completely agree with that. But where you and I diverge is your assumption that it is an either/or scenario. We (as IT) should be reducing the burden on our users whenever possible as a means to provide the best experiences. This would include not asking them to take action when technology could do it for them (e.g., disabling/reenabling the Wi-Fi radio).

- Ryan -

---

@Ryan wrote:
I completely agree with that. But where you and I diverge is your assumption that it is an either/or scenario. We (as IT) should be reducing the burden on our users whenever possible as a means to provide the best experiences. This would include not asking them to take action when technology could do it for them (e.g., disabling/reenabling the Wi-Fi radio).

- Ryan -

---

Yup. I agree.

I have seen a solution from Aruba ACE that detects the expiring Onboard certificate. I think they were prompted to accept a new certificate.

1) There are no hard license caps in ClearPass 6.7

2) It is very easy to revoke certificates via the REST API when a student is no longer active

3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.

---

@cappalli wrote:

2) It is very easy to revoke certificates via the REST API when a student is no longer active

3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.

---

2) not a real solution. Overlap still exists. Also requires custom scripting.

3) that's why there's something like the eduroam cat tool which make's it as easy like assisted onboarding. No issues with server cert trusts! I actually don't know any educational institution (I know a lot trust me) who uses EAP-TLS for their students. They all use PEAP so there's definitely a big market out there. ;)

 

Furthermore. When using EAP-TLS, you cert environment should be reachable from the internet so roaming users can still renew their certificate.

We plan to migrate to tls over the next year, and have a tls kick off meeting in november. We plan to use two CAs, one for internal and one for byod/external. 

---

 wrote:

 

3) that's why there's something like the eduroam cat tool which make's it as easy like assisted onboarding. No issues with server cert trusts! I actually don't know any educational institution (I know a lot trust me) who uses EAP-TLS for their students. They all use PEAP so there's definitely a big market out there. ;)

---

I thought CPPM Onboard was for assisted onboarding. I guess I was mistaken.

There are hundreds of educational institutions using EAP-TLS (thousands globally). Not sure I understand your comment about opening up ClearPass to the internet for certificate renewals.

Anyway, sounds like your mind is made up but I wanted to clarify some of these points for others reading the thread ☺

tim

I was just surprised you suggested the EDURoam CAT tool when CearPAss Onboard is an onboarding tool too.

---

@cappalli wrote:
There are hundreds of educational institutions using EAP-TLS (thousands globally). Not sure I understand your comment about opening up ClearPass to the internet for certificate renewals.

Anyway, sounds like your mind is made up but I wanted to clarify some of these points for others reading the thread ☺

---

How will your roaming students/staff renew their certs when using EAP-TLS without a connection to your CA? It's very common to have lots of visiting/roaming students and staff in an educational env. Sometimes they stay for several months. In an enterprise, EAP-TLS is really the best, but not for educational use. Even MIT just uses PEAP. I hope you'll see it's more a grey story and not black-white.

Why would roaming students have certificates issued from your CA??? An educational environment is really no different from an enterprise environment from a AAA standpoint.

When your students go to another institution they typically use their credentials from their home institution. That's the whole eduroam concept. They don't get new credentials from the visiting instistution. So when you would use EAP-TLS they would use the cert generated from their home instutution. Is it getting clear yet? The radius roaming between educational orgs (eduroam) doesn't exists between different enterprises.

I see what you’re asking now. So let me ask how you handle the same issue with a password expiration or change?

And, actually, many organizations do federated roaming across the globe, so the eduroam model is not unique to education.

People get a notice when their password will expire and they can change it online. After they changed it, they will get a popup which tells them to re-enter their password on their mobile device. It also happens for their mailclient if they have installed it. If you use MS AD technology, the account will not be locked when trying to use the previous password.

OK, so in the same vain, you can put a ClearPass node in your DMZ to handle renewals (and Onboard in general). What’s different?

 

FWIW with the right backend RADIUS server (newer FreeRADIUS being one such) users can change their password over EAP-PEAP-MSCHAPv2, inside the PEAP tunnel, through the supplicant.  Works on both Windows and OSX.  Can be a bit difficult for slow typers since the password change dialogue will disappear when the automatic retry kicks in, but for the most part, works well.

 

(As far as this tangent of the thread goes, I'd just like to stomp my feet like a grumpy old man and point out that this whole thing is a gory mess made entirely by the industry.  It would be pretty simple to do something a-la EAP-TLS-DHE-PSK and ditch all the MSCHAPv2 and/or PKI nonsense... you'd just have to add identity for the server to select the right PSK for a particular client, and maybe an identity privacy layer... though frankly, given most people do not anonymize their outer EAP User-Name, or they put user details in their client certs which are sent OTA in the clear, obviously nobody cares about identity privacy.)