The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniele Albrizio <daniele AT albrizio.it>]

The following is not an answer but is my case study. 

Put only CA chain certificates in CAT.

If you are not changing the CA chain, but only the server certificate, you do not need to modify anything.

I needed to change the CA chain so I

 got the new radius certificate on year in advance so I could test it using unlang in free radius to load a per-calling-station-id rap.conf instance using the new chain.

Then I created an Android CAT profile with old CA chain since Google Android is the widest spread client we have and it does not accept multiple CA per network profile since I guess 4 years of bagging in Google lists.

Then I added the new CA chain to the default installer so that new installations should be ready.

I then planned the D-Day to switch the radius server chain and certificate and noticed it to all our users.

At the D-Day I switched the chain in the android profile and removed from the default profile.

This way only Android and profiles installed more than one year before (very few) stopped working.

Remember to flag the new CA in the windows group policy for wireless and wired profile in advance and test the presence of the complete chain in a freshly installed and joined client.

Il 05 gen 2017 09:06, "Scott Johnson" <sjohnson AT scuhs.edu> ha scritto:

Our two radius servers running MS NPS 2012R2 will renew their certificates in the next 30 days.  These are certificates issued by our private root CA (MS Certificate Authority 2012R2) – private root CA expiration date 2018

 

Are any changes needed for eduroam & the CAT installer?

 

Also our private root CA certificate will need to be renewed in the beginning of 2018. How does that effect eduroam & CAT?  I know I would have to update the root CA certificate on the CAT installer package, but can I put the old & new in there at the same time?

 

If it’s a big issue I would prefer to get in front of it sooner than later…  Our Fall class (September start)  is always the biggest so if things need to happen it would be best to do it before the fall class and prepare everyone else with months of warning since the students don’t actually read emails….

 

 

On a side note I want to ALSO move both the NPS servers & the Certificate Authority server to Windows Server 2016.anyone have experience there yet?

 

 

Scott Johnson

IT Infrastructure Manager

Southern California University of Health Sciences

16200 Amber Valley Drive, Whittier, CA 90604

Phone: (562) 902-3347 Mobile: (714) 758-5991

 

 

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users