I'm currently setting up a proof of concept (POC) for EAP-TLS Enterprise authentication using RADIUSaaS in conjunction with Aruba Instant Access Points (IAPs) and device certificates from SCEPman. We plan to deploy several Android devices and Windows laptops, and I've heard that using a 4096-bit key size on Android could lead to increased battery drain. Has anyone encountered this?
I'm examining a few configuration options and would love some input:
- **Certificate validity period:** 6 months
- **Renewal threshold:** 2 months
- **RadSec vs RADIUS (UDP):** Do you always opt for RadSec, or have there been reasons to choose standard RADIUS?
- **VLAN assignment:** Do you incorporate the VLAN ID into the certificate subject, or do you use a different approach for mapping certificates to VLANs?
- **Default VLAN:** Is setting one worth it, considering clients without valid certificates won't connect?
- **AP certificate lifetime (SCEPman-issued):** What validity period do you recommend?
- **Reauthentication interval:** Currently at 1 hour
- **Accounting interval:** Set to 15 minutes — is this a reasonable timeframe?
I'm eager to hear any advice or lessons learned from your experiences!
1 Answer
For the 4096-bit key, I suggest testing with your oldest Android device to see if the battery impact is a dealbreaker. Personally, I always go with RadSec because it's more secure. As for VLAN assignments, I'd recommend mapping them via RADIUS attributes rather than including the VLAN ID in the cert subject. Also, one hour for reauthentication is a bit much; I'd say four hours is usually sufficient unless your compliance needs specify otherwise.
I'm exploring different methods too, but I'm leaning towards including the VLAN ID in the certificate subject as suggested in the VLAN assignment documentation. We'll test the 4096-bit key size impact during our trials.