1 / 10

Utilizing InCommon Certificates for eduroam: Insights and Implementation Strategies

Jeff Hagley and Ryan Martin discuss the use of InCommon certificates for eduroam at the Internet2 Fall Member Meeting. They share implementation details, lessons learned, and future plans for the R&E community, focusing on cost, infrastructure, and RADIUS setup using FreeRADIUS. The presentation addresses issues such as certificate fragmentation, revocation policies, and client setup challenges with various operating systems. They encourage collaboration and feedback from peers to improve the system, and provide contact information for further inquiries.

sela
Download Presentation

Utilizing InCommon Certificates for eduroam: Insights and Implementation Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3rd, 2011 Internet2 Fall Member Meeting

  2. Why we Chose to use InCommon Certs • Provide implementation details and lessons learned for the R&E community • Cost • Infrastructure • Future Plans

  3. RADIUS Setup • FreeRADIUS • CRL Checking • BASH script to update this • Common CA Cert Chain across InCommon • All InCommon Members have same signing Intermediate Cert • Only allowing Internet2 authentication • Proxy controls this • Cert Fragmentation Size

  4. Cert Deployment Hierarchy

  5. Client Setup • Used “+” sign in email address to issue multiple certs • Comodo added this after a bug report from us • Using “+” sign to get one user in more than one department • A hack we are hoping goes away in the future • Keeps email client from automatically using the cert for signing and encryption

  6. Documentation and Policies • Master Key Escrow Policy • Certificate Revocation Policy • FreeRADIUS setup information • Installation on Clients • Email Ryan for copies of any of them to use as a template

  7. OSs deployed on • iOS 4.3.5 doesn’t work, previous versions do • Mac OS 10.6 and 10.7 works • Windows 7 works (limited experience, we are Mac people)

  8. Issues • iOS 4.3.5 issue • We would love to have others test this and report it to Apple • Bug ID 10080052 • OSCP and FreeRADIUS vulnerability • CVE-2011-2701 • Users can only be assigned to one department (Comodo is aware of this issue)

  9. Future Plans • OSCP implementation, after vulnerability is fixed

  10. Contact Info • Jeff Hagley – hagleyj@internet2.edu • Ryan Martin – rmartin@internet2.edu

More Related