Thanks for the replies! We've had EAP functioning well for the past 7-8 years and when the cert comes up to renew, I've been asked why do we need to keep trusting the certificate, so I am trying to find answers.
Do not use public CA certs for WiFi authentication. It's insecure.
So you are suggesting we should be using self signed certs instead of a public CA?
And no, the Apple devices do NOT already trust the Thawte cert for WiFi authentication. They trust the Thawte cert for web surfing, which is entirely different.
This is what I do not understand. The root certificate is the same for both and is sent as part of the EAP process along with the server certificate. I know this sounds like a stupid question but how are these both different?
You need to have a mobileconfig which tells each device what the SSID is, what EAP method to use, and what CA to use.
Are you referring to configuration profiles that are setup on the clients?
Yes. You need to configure each device as I said above.
I understand this as when I receive the new certificate, I send it along to service desk who setup profiles on staff/faculty machines that use WiFi. I think they also may use MDM to send the profiles to mobiles, but only some staff/faculty devices.
In order to get EAP working, follow the guide at:
http://deployingradius.com/documents/configuration/eap.html
It WILL work.
And yes, it involves creating your own certificates, and also installing the certificates on the clients.
It sounds like we should provide a solution to allow clients to install the certificates. Cheers, - Trevor