The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Paul Dekkers <paul.dekkers AT surf.nl>]

Hi,

On 14/10/2021 18:06, Ricardo Stella wrote:

CAEhoxgU1P+hkudogboGd+jiRG-S3gxT_pyHtPHXqB+Ofi-p3zQ AT mail.gmail.com">

These may be questions for the eduroam admin list but it does involve cat.

We initially configured eduroam with the same commercial cert used for http for radius (we use clearpass). It is only in a semi test mode - that is, it's there and works, but not publicized. Now that I know a little better (maybe ready to take eduroam 102), it would be best to use our own CA with a long expiration date so we won't have to push down a new cat tool in a year or two.

I think that in itself isn't the best reason for a private CA ;-) but indeed one of the advantages.

Interestingly, we were just discussing pro's and con's for public vs. private CAs, as there have been developments in end-user devices. Originally, the advise for a private CA was in particular important because Android couldn't pin the servernames (CN or SubjectAltName DNS) from the certificate, so it was more or less the CA pinning the trust. But this name pinning is possible now (and otherwise CAT/geteduroam takes care of that if it's not in the OS dialog).

Also, Android 11 allows you to configure "use system CAs", and it will validate the "domain name" against the certificate properties. (I use the same name as the realm, hoping users will use that if they try.) If you have a private CA, it needs to be installed in Android first. Also on Windows, because if you don't: Windows won't even connect, while that all will work with a public CA. Windows will actually also warn you about the installation of a private CA, because it could be abused for other purposes (like websites, and thus man in the middle attacks). Because of this, I'm personally leaning towards public CAs, because it may prevent people from switching of server certificate validation if that option is still available in their clients. (But it's really a personal preference. You may get a different view in a next reply.)

You can include multiple root CAs in your profile, and continue to use the servername after CA migration. It kind of depends on how long you expect your users to work with a particular profile. (One could argue, but geteduroam and CAT don't support this yet, that we don't even pin the CA per se, if you trust "all OS provided CAs". Like you do with websites.)

So, there are of course also arguments pro private CAs, and the renewal period could be one of them. If your users use profiles from CAT, the renewals/reissue won't affect them, but definitely you as an administrator.

CAEhoxgU1P+hkudogboGd+jiRG-S3gxT_pyHtPHXqB+Ofi-p3zQ AT mail.gmail.com">

Our CA I've set up 20 years ago and not in use any more has an expiration date of 2031 so may be an option - this was with openssl and a 2048 bit. But may create a brand new CA just in case. And this would be the cert pushed via cat.

Few questions now...

* How long should the radius cert be? I understand that renewing it won't affect cat since what matters is the root that signs it. But reading iOS does not trust certs longer than about 2 years, would this be the case? Should I plan on renewing the radius cert every year? Would it be an issue with the long term CA installed by cat?

I think that logic is there, but doesn't apply to private CAs. You better verify, of course if you go that path, trivial to find out.

    The industry is moving fast with encryption in the past years, it's
    hard to tell whether the strategy and extensions you pick today,
    will still make you smile in 2 years time.

CAEhoxgU1P+hkudogboGd+jiRG-S3gxT_pyHtPHXqB+Ofi-p3zQ AT mail.gmail.com">

* Are there any FAQs on verifying what extensions are needed/required?

    There is a EAP server certificate considerations page, that based on
    the discussion is about to be reviewed. It does contain some of the
    extensions. You would need the server extension, and subjectaltname
    DNS; the certificate should not be wildcard, not EV, and have modern
    hashing mechanism, and not be a CA. I guess that's roughly it.

CAEhoxgU1P+hkudogboGd+jiRG-S3gxT_pyHtPHXqB+Ofi-p3zQ AT mail.gmail.com">

* We have a 3 node clearpass implementation.  Should each radius cert be its own CN but add all 3 nodes to subject alt names?

All servers can use the same certificate and names. There is no relation between the hostname and the name in the certificate. That's the entire reason the trust has to come from another place ;-)

Paul

CAEhoxgU1P+hkudogboGd+jiRG-S3gxT_pyHtPHXqB+Ofi-p3zQ AT mail.gmail.com">

I'll probably think of more questions once I hit send but for now..

Thanks in advance - Ricardo.

--

°(((=((===°°°(((================================================

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users