On Thu, Mar 23, 2017 at 09:29:54AM +0000, Peter Hutchison wrote:
With PEAP you should *always* use Publicly recognised TLS/SSL certificates, preferably with a well-known CA source or one that your University supports.
That's certainly not the recommended practise that's ever normally given here. All RADIUS certificates should be based on private CA infrastructure where possible for the best security.
Also it should be at least 2048 bits and uses the SHA256 hash algorithm, SHA1 should be phased out.
This is better advice.
For example, we use JISC service which uses Quo Vadis CA. Do not use self-signed or internal CA certificates.
No. Use an internal CA with installers (such as eduroam CAT) to push the config and root CA to the devices. You might find a public CA the right balance between convenience and security for yourselves, and many people do, but it's not the correct advice for a secure network. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>