I have an employee BYOD Wi-fi net that lands in a guest VLAN and uses PEAP with employee creds for authentication/authorization. I also use EAP-TLS and PEAP auth internally for wired/wifi nets.
Right now I have an internal CA-signed EAP cert installed on the PSNs that works for PEAP/EAP-TLS on the internal nets, but obviously its not trusted on the devices connecting to my employee BYOD. Users bypass the cert warning and they're good, but I'd like to eliminate that since it does cause tickets. To do this, I'd like to purchase a SAN cert from GoDaddy and import it on each PSN.
I know that it will work for the PEAP authentications, but for EAP-TLS, does the client *and* server certificate have to be signed by the same CA or do they just have to trust each other's chains? In this case there would be a two way trust, but the client is being presented a GoDaddy certificate chain while the PSN is being presented with an Internal PKI certificate chain during EAP-TLS negotiation.
No comments:
Post a Comment