cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Tony Skalski <ajs AT stolaf.edu>
- To: Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>
- Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>, Mikael Bak <bak.mikael AT oszk.hu>
- Subject: Re: [[cat-users]] eduroam CAT with Let's Encrypt
- Date: Tue, 23 Apr 2019 09:20:20 -0500
We tried this and wish we hadn't.
As Matthew pointed out, the 'Let's Encrypt Authority X3' cert expires in 2021, so we will definitely need to do something before then.
We use LE extensively elsewhere and have no issues with the DNS TXT challenge method in general, however, it needs to be handled manually for our two RADIUS servers.
We are using NPS and the certificates need to be added imported manually and added to the config manually. This could be automated with a little powershell (I have found, buried in the XML config files for NPS, where the cert thumbprint is located), but the rest of the process is so manual, I haven't bothered (and we'll be moving away from this anyway).
Last, but certainly not least, IOS (and maybe macOS - I haven't tested recently) seem to do some sort of certificate pinning - so that when we renew our certs every 75 days or so, IOS users are prompted to accept the new certificate - and when the miss the prompt they wind up on our guest network.
So...don't...
We are contemplating ClearPass, and if we don't do that we will likely spin up a pair of FreeRADIUS servers to replace the NPS servers. In either case, we will not be using LE certs.
ajs
On Tue, Apr 23, 2019 at 4:48 AM Matthew Slowe <Matthew.Slowe AT jisc.ac.uk> wrote:
On 23 Apr 2019, at 10:32, Mikael Bak <bak.mikael AT oszk.hu> wrote:Hi list,
I wonder if there is a way to use Let's Encrypt and automatic cert
renewal with eduroam CAT?
Is it a good idea? Is it even possible?I’ve been lurking on this list for a while so feel free to take with a pinch of salt.Any issues with CAT specifically aside, I’m not sure that LE is a sustainable model for eduroam type authentication as you’ve got very little control over when the Root changes. My home-based LE certificates have a Root which expires in September 2021 — so, even if LE continued to use this Root up to the bitter end, the best case would be that users would need to intervene (download a new CAT profile?) before then to maintain service.That’s then coupled with LE's non-web renewal process still being a bit clunky - needing DNS TXT records in place (and possibly changing?) to renew.Current thinking is that a local, long-lived Root CA (which could be dedicated to RADIUS authentication) be used and published via CAT then service certificates be issued using that.There’s a pretty good breakdown of the pros and cons (not specifically for LE) here:Hope that helps (and someone might correct my inaccuracies!)--Matthew SloweTechnical Specialist - Trust & IdentityDirect: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
Jisc Trust and Identity Services
UK Access Management Federation - Assent - Certificate Service - Domain Registry and Liberate - fully managed solution for Jisc's access management services
- [[cat-users]] eduroam CAT with Let's Encrypt, Mikael Bak, 04/23/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Matthew Slowe, 04/23/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Tony Skalski, 04/23/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Mikael Bak, 04/24/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Matthew Slowe, 04/24/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Alan Buxey, 04/24/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Mikael Bak, 04/25/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Stefan Winter, 04/25/2019
- Re: [[cat-users]] eduroam CAT with Let's Encrypt, Matthew Slowe, 04/23/2019
Archive powered by MHonArc 2.6.19.