EAP-TLS: Strategies for getting the right certificate to the right user

Wed Sep 13 17:12:00 CEST 2017

PS Alan (Buxley), it seems that apple no longer supports the Apple
Configurator for Windows. ($#!π)

On Tue, Sep 12, 2017 at 1:00 AM, Chevalier Violet <
chevalier.violet at gmail.com> wrote:

> Update: I got my iPhone working. I think the problem was that I needed to
> import the client.p12 cert (helpfully mentioned not very often of course).
> Anyway, it's working!
>
> As for how to make THAT relatively automatic... wow, I may need the
> website Alan proposed.
>
> Best,
> David
>
> On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet <
> chevalier.violet at gmail.com> wrote:
>
>> Hi all,
>>
>> Thanks for all the thoughts. It's much appreciated to know that maybe
>> it's not just n00bness that is causing me to struggle with this!
>>
>> I ended up making a pw protected page on my website (sigh)--but the
>> limits of that solution without internet access are pretty obvious I'd say!
>>
>> And never mind that using TTLS-PAP with passwords saved as SSHA-512
>> doesn't work on the iphone... !!! That's kinda insane if you ask me. But
>> obviously apple didn't!
>>
>> Getting certs on the iPhone has been a real hassle--it'd be easier with
>> mac or windows machines around because I could use iTunes, but anyway, it
>> has been done through the website option!
>>
>> Now, I can't get EAP-TLS to work on my iPhone because I can't choose
>> "mode" EAP-TLS. Instead, it continually asks me for the username & pass,
>> which is precisely what I'm trying to avoid! I think there may be someway
>> to signal that my wifi prefers TLS mode that I don't know about.
>>
>> If you have help on that point, that'd be great, and sigh&thanks!
>>
>> CV
>>
>> PS Indeed my routher is not exactly hotspot 2.0 or captive portal
>> compliant!
>>
>> On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet <
>> chevalier.violet at gmail.com> wrote:
>>
>>> I've been googling around and kind of surprised to not be seeing a ton
>>> of resources about this. Maybe you all can help!
>>>
>>> EAP-TLS: Strategies for getting the right certificate to the right user.
>>> It needs to be relatively automated. I do have users coming by with BYOD
>>> devices, e.g. iPhones (omg they're super finicky about the freeradius setup
>>> but that's another story!), frequently when I'm not around to set them up.
>>>
>>> Users are starting with no internet access.
>>>
>>> I was thinking maybe of the following:
>>>
>>> 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
>>> for guests that would change every so often. Maybe let them use the
>>> internet either i) for a few minutes at a time or ii) only to access a page
>>> on the internal network from which they could download the guest
>>> certificate that would allow them to connect via EAP-TLS? 3) the certs
>>> would expire after a few days.
>>>
>>> I have been struggling to get even my own iPhone to have the proper
>>> cert! On the bright side, my two linux machines are now working with
>>> EAP-TLS so there's hope for me! I wish I could just put the certs on a USB
>>> key but that doesn't work for phones. And it's a bunch of Linux machines,
>>> no Windows or Macs around. Excuse me if this is a n00b question.
>>>
>>> Thanks everyone!
>>>
>>> PS At this link:
>>>
>>> https://github.com/FreeRADIUS/freeradius-server/issues/2045#
>>> issuecomment-324641610
>>>
>>> Arr2036 mentions that the hot spot 2.0 standards set out how this could
>>> work, with auto-renewing certs and the whole 9 yards. I wasn't able to find
>>> how to make that work for linux, for instance with freeradius. Thanks!
>>>
>>
>>
>>
>> --
>> "Do not speak, unless it improves on silence."  -- Buddha
>>
>>
>
>
> --
> "Do not speak, unless it improves on silence."  -- Buddha
>
>

-- 
"Do not speak, unless it improves on silence."  -- Buddha