1 / 10

Using InCommon Client Certs for eduroam

This presentation by Jeff Hagley and Ryan Martin discusses the implementation of InCommon client certificates for eduroam at the Internet2 Fall Member Meeting. They share their reasons for choosing InCommon Certs, including cost, infrastructure benefits, and future plans. Key topics include RADIUS setup, FreeRADIUS, CRL checking, and documentation policies. They also address challenges faced, such as issues with specific OS versions, and how these have influenced their approach. The session aims to provide valuable insights for the R&E community looking to improve their certificate authentication strategies.

deana
Télécharger la présentation

Using InCommon Client Certs for eduroam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3rd, 2011 Internet2 Fall Member Meeting

  2. Why we Chose to use InCommon Certs • Provide implementation details and lessons learned for the R&E community • Cost • Infrastructure • Future Plans

  3. RADIUS Setup • FreeRADIUS • CRL Checking • BASH script to update this • Common CA Cert Chain across InCommon • All InCommon Members have same signing Intermediate Cert • Only allowing Internet2 authentication • Proxy controls this • Cert Fragmentation Size

  4. Cert Deployment Hierarchy

  5. Client Setup • Used “+” sign in email address to issue multiple certs • Comodo added this after a bug report from us • Using “+” sign to get one user in more than one department • A hack we are hoping goes away in the future • Keeps email client from automatically using the cert for signing and encryption

  6. OSs deployed on • iOS 4.3.5 doesn’t work, previous versions do • Mac OS 10.6 and 10.7 works • Windows 7 works (limited experience, we are Mac people)

  7. Documentation and Policies • Master Key Escrow Policy • Certificate Revocation Policy • FreeRADIUS setup information • Installation on Clients • Email Ryan for copies of any of them to use as a template

  8. Issues • iOS 4.3.5 issue • We would love to have others test this and report it to Apple • Bug ID 10080052 • OSCP and FreeRADIUS vulnerability • CVE-2011-2701 • Users can only be assigned to one department (Comodo is aware of this issue)

  9. Future Plans • OSCP implementation, after vulnerability is fixed

  10. Contact Info • Jeff Hagley – hagleyj@internet2.edu • Ryan Martin – rmartin@internet2.edu

More Related