On-boarding Tool Requirements
These are the things we will be looking for in deciding on a tool. Obviously, cost is also a consideration.
MUST have
Tools that do not meet these criteria will not be considered. These are the things that we would rather not deploy EAP-TLS than compromise on.
front end
- Platform support
- Windows 10
- Windows 11
- macOS
- iOS
- Android
- including Android 11, December 2020 patch
- manual install (Linux devices)
- Easier to use than:
- non-sponsored guest (taking into account re-registering every day)
- Current PEAP/MSCHAPv2 process (with unknown password)
- SSO integration
- remove and/or replace old profiles
back end
- Per device certs
- Certs issued to:
- User
- Organization
- Setup correct trust of server
- Set specific CA
- Set leaf CommonName / subjectAltName
- Stupidly long client cert lifetime (e.g., 50 years)
- No cloud PKI
- Ability to expand to external CA
SHOULD have
We would rather deploy without these than not deploy, but we aren't going to be happy about it.
front end
- Easier to use than:
- non-sponsored guest (not taking into account re-registering every day)
- Current PEAP/MSCHAPv2 process (with known password)
- vt.edu URL
back end
- Internal CA (with an intermediate root)
- ECC certs (P-256, or ed2519)
Low priority niceties
Extras that in particular will make future expansions of the service better.
- Passpoint support
- AD integration
- Multiple root CA support
- ed25519 support