Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Ryan – Asking a user to disconnect and reconnect once in four years as part of a guide process with clear instructions is much less painful than dealing with certificate trust and password changes with PEAP.

 

Also, most customers we have worked with do not want the user to have to download an app.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

I completely agree with that. But where you and I diverge is your assumption that it is an either/or scenario. We (as IT) should be reducing the burden on our users whenever possible as a means to provide the best experiences. This would include not asking them to take action when technology could do it for them (e.g., disabling/reenabling the Wi-Fi radio).

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University

Re: Which "Popular" certificate authority (CA) included in most devices


@Ryan wrote:
I completely agree with that. But where you and I diverge is your assumption that it is an either/or scenario. We (as IT) should be reducing the burden on our users whenever possible as a means to provide the best experiences. This would include not asking them to take action when technology could do it for them (e.g., disabling/reenabling the Wi-Fi radio).

- Ryan -

Yup. I agree.

I have seen a solution from Aruba ACE that detects the expiring Onboard certificate. I think they were prompted to accept a new certificate.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Highlighted
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices


@cappalli wrote:

2) It is very easy to revoke certificates via the REST API when a student is no longer active

3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.


2) not a real solution. Overlap still exists. Also requires custom scripting.

3) that's why there's something like the eduroam cat tool which make's it as easy like assisted onboarding. No issues with server cert trusts! I actually don't know any educational institution (I know a lot trust me) who uses EAP-TLS for their students. They all use PEAP so there's definitely a big market out there. ;)

 

Furthermore. When using EAP-TLS, you cert environment should be reachable from the internet so roaming users can still renew their certificate.

New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

We plan to migrate to tls over the next year, and have a tls kick off meeting in november. We plan to use two CAs, one for internal and one for byod/external. 

T.J. Norton - Wireless Architect

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Re: Which "Popular" certificate authority (CA) included in most devices


 wrote:

 

3) that's why there's something like the eduroam cat tool which make's it as easy like assisted onboarding. No issues with server cert trusts! I actually don't know any educational institution (I know a lot trust me) who uses EAP-TLS for their students. They all use PEAP so there's definitely a big market out there. ;)


I thought CPPM Onboard was for assisted onboarding. I guess I was mistaken.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

There are hundreds of educational institutions using EAP-TLS (thousands globally). Not sure I understand your comment about opening up ClearPass to the internet for certificate renewals.

Anyway, sounds like your mind is made up but I wanted to clarify some of these points for others reading the thread ☺

tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Which "Popular" certificate authority (CA) included in most devices

I was just surprised you suggested the EDURoam CAT tool when CearPAss Onboard is an onboarding tool too.


Bruce Osborne - Wireless Engineer
ACCP, ACMP

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices


@cappalli wrote:
There are hundreds of educational institutions using EAP-TLS (thousands globally). Not sure I understand your comment about opening up ClearPass to the internet for certificate renewals.

Anyway, sounds like your mind is made up but I wanted to clarify some of these points for others reading the thread ☺

How will your roaming students/staff renew their certs when using EAP-TLS without a connection to your CA? It's very common to have lots of visiting/roaming students and staff in an educational env. Sometimes they stay for several months. In an enterprise, EAP-TLS is really the best, but not for educational use. Even MIT just uses PEAP. I hope you'll see it's more a grey story and not black-white.

Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

Why would roaming students have certificates issued from your CA??? An educational environment is really no different from an enterprise environment from a AAA standpoint.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: