The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Martin Stanislav <ms AT uakom.sk>]

Hi Florian,

I suppose you are about to renew an EAP server certificate that is deployed
on CUNY RADIUS servers. In fact, it doesn't matter whether you keep
the old key pair or you decide to create a new key pair (wrt trust).
eduroam config profile published for CUNY on the eduroam CAT portal
will work as long as the chain of trust this profile contains covers
EAP server certificate deployed on CUNY RADIUS servers.
The same applies for the expected server name (as present in
the profile vs in a deployed X.509 certificate).

Also the clients (802.1X supplicants) have to be provisioned in accord
with the concerned CUNY profile published on eduroam CAT portal,
e.g. geteduroam will use published profile to provision a client device.

There is more info wrt EAP server certificate on the GÉANT wiki [1].

Kind regards,
Martin

[1] 
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

On Mon, Sep 18, 2023 at 06:00:44PM +0000, Florian Lengyel wrote:
> 
> Hi,
> 
> I am renewing the server certificate of my FreeRADIUS cluster for eduroam.
> The server key is remaining the same.
> Is it true that users typically should not need to reconfigure their 
> devices?.
> My understanding is that the existing settings should continue to work after
> the server cert is renewed as the server key is the critical component for 
> the client-trust relationship.
> 
> Florian
> 
> [cid:image002.png AT 01D9EA36.58499090]
> Florian Lengyel, PhD
> Identity and Access Management
> CUNY CIS 395 Hudson Street, New York, NY 10014
> Voicemail: (646) 664-2370 Cell: (917) 621-7845
> Email: florian.lengyel AT cuny.edu
> 
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users