Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
1
Replies

EAP Authentication cert “communications certificate”

Go to solution
bwongtho
Cisco Employee
Cisco Employee

‎03-09-2018 06:02 AM

We currently use 2 different certs: one for the EAP Authentication portion and one for the portals and admin access.  The portals/admin is our wild card cert and the EAP Authentication cert is a “communications certificate”.  We used this when we were part of the 1.2 EFT.  Since then, we’ve pretty much just focused on not changing anything because it was working. 


Now, we’re just curious if we need to keep this the way it is.  Our cert expires May 2019, so we’re trying to get ahead of the game so if we can change certs, let’s go ahead and do it.

I hope that makes sense and doesn’t come off as the ramblings of a decaffeinated lunatic.

Michael Yelverton

UNCW BA – ITS – Netcom

Network Analyst

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmh
Level 5
Level 5

‎03-09-2018 06:19 AM

In nearly all deployments I use the EAP certificate for EAP and admin access as it is also used for the distributed deployment communications and by using a public CA signed certificate for admin access each time it is renewed you will need to reinstall the certificate which causes a restart of the application on each node (ie an outage). Public CA signed certificates normally have a shorter validity than an internal enterprise CA signed certificate (which you can make very long when you deploy the enterprise CA) so this outage is likely to be required more regularly than using an enterprise CA certificate for admin.

Also, the enterprise computers will trust the enterprise CA certificate for admin as well as EAP so not produce a certificate warning.

If the admin certificate lifetime and renewal outage is not an issue for you then you could continue as you are now.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dmh
Level 5
Level 5

‎03-09-2018 06:19 AM

In nearly all deployments I use the EAP certificate for EAP and admin access as it is also used for the distributed deployment communications and by using a public CA signed certificate for admin access each time it is renewed you will need to reinstall the certificate which causes a restart of the application on each node (ie an outage). Public CA signed certificates normally have a shorter validity than an internal enterprise CA signed certificate (which you can make very long when you deploy the enterprise CA) so this outage is likely to be required more regularly than using an enterprise CA certificate for admin.

Also, the enterprise computers will trust the enterprise CA certificate for admin as well as EAP so not produce a certificate warning.

If the admin certificate lifetime and renewal outage is not an issue for you then you could continue as you are now.

0 Helpful
Customers Also Viewed These Support Documents