Freeradius-Users Digest, Vol 149, Issue 47

Chevalier Violet chevalier.violet at gmail.com
Wed Sep 13 15:40:57 CEST 2017


Hi Alan (Buxley),

Googling a bit and not having a mac or windows machine, it is looking very
tricky to set this up "manually". I have been able to download mobile
config files in hex form from other universities, but it looks like it'd be
a lot easier to generate this automatically. So unless you have a genius
solution, I will likely borrow someone's Windows machine (the shame) and
generate a profile! I guess that won't be so bad, but if you know of other
resources that are easier, I'm all ears! And either way, thanks so much to
you and every for the thoughts!

On Tue, Sep 12, 2017 at 6:00 AM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: EAP-TLS: Strategies for getting the right certificate to
>       the right user (Chevalier Violet)
>    2. Re: EAP-TLS: Strategies for getting the right certificate to
>       the right user (Alan Buxey)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 12 Sep 2017 01:00:03 -0400
> From: Chevalier Violet <chevalier.violet at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: EAP-TLS: Strategies for getting the right certificate to
>         the right user
> Message-ID:
>         <CANv8M1sMeczbPX9vicXi=dKUN=NDyEviQUc_t+VDxqeN+a3kkQ at mail.
> gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Update: I got my iPhone working. I think the problem was that I needed to
> import the client.p12 cert (helpfully mentioned not very often of course).
> Anyway, it's working!
>
> As for how to make THAT relatively automatic... wow, I may need the website
> Alan proposed.
>
> Best,
> David
>
> On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet <
> chevalier.violet at gmail.com> wrote:
>
> > Hi all,
> >
> > Thanks for all the thoughts. It's much appreciated to know that maybe
> it's
> > not just n00bness that is causing me to struggle with this!
> >
> > I ended up making a pw protected page on my website (sigh)--but the
> limits
> > of that solution without internet access are pretty obvious I'd say!
> >
> > And never mind that using TTLS-PAP with passwords saved as SSHA-512
> > doesn't work on the iphone... !!! That's kinda insane if you ask me. But
> > obviously apple didn't!
> >
> > Getting certs on the iPhone has been a real hassle--it'd be easier with
> > mac or windows machines around because I could use iTunes, but anyway, it
> > has been done through the website option!
> >
> > Now, I can't get EAP-TLS to work on my iPhone because I can't choose
> > "mode" EAP-TLS. Instead, it continually asks me for the username & pass,
> > which is precisely what I'm trying to avoid! I think there may be someway
> > to signal that my wifi prefers TLS mode that I don't know about.
> >
> > If you have help on that point, that'd be great, and sigh&thanks!
> >
> > CV
> >
> > PS Indeed my routher is not exactly hotspot 2.0 or captive portal
> > compliant!
> >
> > On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet <
> > chevalier.violet at gmail.com> wrote:
> >
> >> I've been googling around and kind of surprised to not be seeing a ton
> of
> >> resources about this. Maybe you all can help!
> >>
> >> EAP-TLS: Strategies for getting the right certificate to the right user.
> >> It needs to be relatively automated. I do have users coming by with BYOD
> >> devices, e.g. iPhones (omg they're super finicky about the freeradius
> setup
> >> but that's another story!), frequently when I'm not around to set them
> up.
> >>
> >> Users are starting with no internet access.
> >>
> >> I was thinking maybe of the following:
> >>
> >> 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
> >> for guests that would change every so often. Maybe let them use the
> >> internet either i) for a few minutes at a time or ii) only to access a
> page
> >> on the internal network from which they could download the guest
> >> certificate that would allow them to connect via EAP-TLS? 3) the certs
> >> would expire after a few days.
> >>
> >> I have been struggling to get even my own iPhone to have the proper
> cert!
> >> On the bright side, my two linux machines are now working with EAP-TLS
> so
> >> there's hope for me! I wish I could just put the certs on a USB key but
> >> that doesn't work for phones. And it's a bunch of Linux machines, no
> >> Windows or Macs around. Excuse me if this is a n00b question.
> >>
> >> Thanks everyone!
> >>
> >> PS At this link:
> >>
> >> https://github.com/FreeRADIUS/freeradius-server/issues/2045#
> >> issuecomment-324641610
> >>
> >> Arr2036 mentions that the hot spot 2.0 standards set out how this could
> >> work, with auto-renewing certs and the whole 9 yards. I wasn't able to
> find
> >> how to make that work for linux, for instance with freeradius. Thanks!
> >>
> >
> >
> >
> > --
> > "Do not speak, unless it improves on silence."  -- Buddha
> >
> >
>
>
> --
> "Do not speak, unless it improves on silence."  -- Buddha
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 12 Sep 2017 07:55:48 +0100
> From: Alan Buxey <alan.buxey at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: EAP-TLS: Strategies for getting the right certificate to
>         the right user
> Message-ID:
>         <CAOVYXj8MnXE1eG9hA8zB+QBKCf8J-109Tun8Hc8waB9=XEJgrg@
> mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Getting certs onto the iPhone is fairly easy if you just use a
> .mobileconfig profile deployment file , as can be created with the apple
> tools, manually or with commercial tools :)
>
> alan
>
> On 12 Sep 2017 5:31 am, "Chevalier Violet" <chevalier.violet at gmail.com>
> wrote:
>
> > Hi all,
> >
> > Thanks for all the thoughts. It's much appreciated to know that maybe
> it's
> > not just n00bness that is causing me to struggle with this!
> >
> > I ended up making a pw protected page on my website (sigh)--but the
> limits
> > of that solution without internet access are pretty obvious I'd say!
> >
> > And never mind that using TTLS-PAP with passwords saved as SSHA-512
> doesn't
> > work on the iphone... !!! That's kinda insane if you ask me. But
> obviously
> > apple didn't!
> >
> > Getting certs on the iPhone has been a real hassle--it'd be easier with
> mac
> > or windows machines around because I could use iTunes, but anyway, it has
> > been done through the website option!
> >
> > Now, I can't get EAP-TLS to work on my iPhone because I can't choose
> "mode"
> > EAP-TLS. Instead, it continually asks me for the username & pass, which
> is
> > precisely what I'm trying to avoid! I think there may be someway to
> signal
> > that my wifi prefers TLS mode that I don't know about.
> >
> > If you have help on that point, that'd be great, and sigh&thanks!
> >
> > CV
> >
> > PS Indeed my routher is not exactly hotspot 2.0 or captive portal
> > compliant!
> >
> > On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet <
> > chevalier.violet at gmail.com> wrote:
> >
> > > I've been googling around and kind of surprised to not be seeing a ton
> of
> > > resources about this. Maybe you all can help!
> > >
> > > EAP-TLS: Strategies for getting the right certificate to the right
> user.
> > > It needs to be relatively automated. I do have users coming by with
> BYOD
> > > devices, e.g. iPhones (omg they're super finicky about the freeradius
> > setup
> > > but that's another story!), frequently when I'm not around to set them
> > up.
> > >
> > > Users are starting with no internet access.
> > >
> > > I was thinking maybe of the following:
> > >
> > > 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
> > > for guests that would change every so often. Maybe let them use the
> > > internet either i) for a few minutes at a time or ii) only to access a
> > page
> > > on the internal network from which they could download the guest
> > > certificate that would allow them to connect via EAP-TLS? 3) the certs
> > > would expire after a few days.
> > >
> > > I have been struggling to get even my own iPhone to have the proper
> cert!
> > > On the bright side, my two linux machines are now working with EAP-TLS
> so
> > > there's hope for me! I wish I could just put the certs on a USB key but
> > > that doesn't work for phones. And it's a bunch of Linux machines, no
> > > Windows or Macs around. Excuse me if this is a n00b question.
> > >
> > > Thanks everyone!
> > >
> > > PS At this link:
> > >
> > > https://github.com/FreeRADIUS/freeradius-server/issues/2045#
> > > issuecomment-324641610
> > >
> > > Arr2036 mentions that the hot spot 2.0 standards set out how this could
> > > work, with auto-renewing certs and the whole 9 yards. I wasn't able to
> > find
> > > how to make that work for linux, for instance with freeradius. Thanks!
> > >
> >
> >
> >
> > --
> > "Do not speak, unless it improves on silence."  -- Buddha
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 149, Issue 47
> *************************************************
>



-- 
"Do not speak, unless it improves on silence."  -- Buddha


More information about the Freeradius-Users mailing list