The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Ricardo Stella <stella AT rider.edu>]

These may be questions for the eduroam admin list but it does involve cat.

We initially configured eduroam with the same commercial cert used for http for radius (we use clearpass). It is only in a semi test mode - that is, it's there and works, but not publicized. Now that I know a little better (maybe ready to take eduroam 102), it would be best to use our own CA with a long expiration date so we won't have to push down a new cat tool in a year or two. Our CA I've set up 20 years ago and not in use any more has an expiration date of 2031 so may be an option - this was with openssl and a 2048 bit. But may create a brand new CA just in case. And this would be the cert pushed via cat.

Few questions now...

* How long should the radius cert be? I understand that renewing it won't affect cat since what matters is the root that signs it. But reading iOS does not trust certs longer than about 2 years, would this be the case? Should I plan on renewing the radius cert every year? Would it be an issue with the long term CA installed by cat?

* Are there any FAQs on verifying what extensions are needed/required?

* We have a 3 node clearpass implementation.  Should each radius cert be its own CN but add all 3 nodes to subject alt names?

I'll probably think of more questions once I hit send but for now..

Thanks in advance - Ricardo.

--

°(((=((===°°°(((================================================