EAP-TLS: Strategies for getting the right certificate to the right user

Tue Sep 12 08:55:48 CEST 2017

Getting certs onto the iPhone is fairly easy if you just use a
.mobileconfig profile deployment file , as can be created with the apple
tools, manually or with commercial tools :)

alan

On 12 Sep 2017 5:31 am, "Chevalier Violet" <chevalier.violet at gmail.com>
wrote:

> Hi all,
>
> Thanks for all the thoughts. It's much appreciated to know that maybe it's
> not just n00bness that is causing me to struggle with this!
>
> I ended up making a pw protected page on my website (sigh)--but the limits
> of that solution without internet access are pretty obvious I'd say!
>
> And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't
> work on the iphone... !!! That's kinda insane if you ask me. But obviously
> apple didn't!
>
> Getting certs on the iPhone has been a real hassle--it'd be easier with mac
> or windows machines around because I could use iTunes, but anyway, it has
> been done through the website option!
>
> Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode"
> EAP-TLS. Instead, it continually asks me for the username & pass, which is
> precisely what I'm trying to avoid! I think there may be someway to signal
> that my wifi prefers TLS mode that I don't know about.
>
> If you have help on that point, that'd be great, and sigh&thanks!
>
> CV
>
> PS Indeed my routher is not exactly hotspot 2.0 or captive portal
> compliant!
>
> On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet <
> chevalier.violet at gmail.com> wrote:
>
> > I've been googling around and kind of surprised to not be seeing a ton of
> > resources about this. Maybe you all can help!
> >
> > EAP-TLS: Strategies for getting the right certificate to the right user.
> > It needs to be relatively automated. I do have users coming by with BYOD
> > devices, e.g. iPhones (omg they're super finicky about the freeradius
> setup
> > but that's another story!), frequently when I'm not around to set them
> up.
> >
> > Users are starting with no internet access.
> >
> > I was thinking maybe of the following:
> >
> > 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
> > for guests that would change every so often. Maybe let them use the
> > internet either i) for a few minutes at a time or ii) only to access a
> page
> > on the internal network from which they could download the guest
> > certificate that would allow them to connect via EAP-TLS? 3) the certs
> > would expire after a few days.
> >
> > I have been struggling to get even my own iPhone to have the proper cert!
> > On the bright side, my two linux machines are now working with EAP-TLS so
> > there's hope for me! I wish I could just put the certs on a USB key but
> > that doesn't work for phones. And it's a bunch of Linux machines, no
> > Windows or Macs around. Excuse me if this is a n00b question.
> >
> > Thanks everyone!
> >
> > PS At this link:
> >
> > https://github.com/FreeRADIUS/freeradius-server/issues/2045#
> > issuecomment-324641610
> >
> > Arr2036 mentions that the hot spot 2.0 standards set out how this could
> > work, with auto-renewing certs and the whole 9 yards. I wasn't able to
> find
> > how to make that work for linux, for instance with freeradius. Thanks!
> >
>
>
>
> --
> "Do not speak, unless it improves on silence."  -- Buddha
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html