Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

When your students go to another institution they typically use their credentials from their home institution. That's the whole eduroam concept. They don't get new credentials from the visiting instistution. So when you would use EAP-TLS they would use the cert generated from their home instutution. Is it getting clear yet? The radius roaming between educational orgs (eduroam) doesn't exists between different enterprises.

Highlighted
Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

I see what you’re asking now. So let me ask how you handle the same issue with a password expiration or change?

And, actually, many organizations do federated roaming across the globe, so the eduroam model is not unique to education.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Which "Popular" certificate authority (CA) included in most devices

People get a notice when their password will expire and they can change it online. After they changed it, they will get a popup which tells them to re-enter their password on their mobile device. It also happens for their mailclient if they have installed it. If you use MS AD technology, the account will not be locked when trying to use the previous password.

Guru Elite

Re: Which "Popular" certificate authority (CA) included in most devices

OK, so in the same vain, you can put a ClearPass node in your DMZ to handle renewals (and Onboard in general). What’s different?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor I

Re: Which "Popular" certificate authority (CA) included in most devices

 

FWIW with the right backend RADIUS server (newer FreeRADIUS being one such) users can change their password over EAP-PEAP-MSCHAPv2, inside the PEAP tunnel, through the supplicant.  Works on both Windows and OSX.  Can be a bit difficult for slow typers since the password change dialogue will disappear when the automatic retry kicks in, but for the most part, works well.

 

(As far as this tangent of the thread goes, I'd just like to stomp my feet like a grumpy old man and point out that this whole thing is a gory mess made entirely by the industry.  It would be pretty simple to do something a-la EAP-TLS-DHE-PSK and ditch all the MSCHAPv2 and/or PKI nonsense... you'd just have to add identity for the server to select the right PSK for a particular client, and maybe an identity privacy layer... though frankly, given most people do not anonymize their outer EAP User-Name, or they put user details in their client certs which are sent OTA in the clear, obviously nobody cares about identity privacy.)

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: