Replacing RADIUS certficate - best practices

So the time has come to replace our RADIUS cert's CA (it's 10 years old in September next year) and I'm pondering the best way to do it. As far as I can tell NAC can only have one RADIUS cert loaded at any one time, so I'll have to do a flag day.

Most of our devices are managed (SCCM for Windows, Jamf Pro for Macs) so pushing out a new wireless config profile is straightforward, but I'm wondering how to manage the switchover. One of the SSIDs I am thinking of changing the name, but the other should remain the same. So there's a bit of a chicken and egg situation in terms of pushing out a new profile with the new certificate that will then break connectivity, but giving enough time for it to reach most of the devices.

One thing is that the certificate on the NACs (I use the same one on both appliances due to iPads) is good until January 2024, will devices trust that certificate until then even if the CA that signed it has expired?

0 replies

Be the first to reply!