EAP-TLS: Strategies for getting the right certificate to the right user

Alan Buxey alan.buxey at gmail.com
Wed Sep 13 19:14:42 CEST 2017


Yep. Why would they when you can run it on a Mac instead? ;)

You can actually construct the files yourself. Once you've seen the output
the format is self evident

alan

On 13 Sep 2017 4:12 pm, "Chevalier Violet" <chevalier.violet at gmail.com>
wrote:

> PS Alan (Buxley), it seems that apple no longer supports the Apple
> Configurator for Windows. ($#!π)
>
> On Tue, Sep 12, 2017 at 1:00 AM, Chevalier Violet <
> chevalier.violet at gmail.com> wrote:
>
> > Update: I got my iPhone working. I think the problem was that I needed to
> > import the client.p12 cert (helpfully mentioned not very often of
> course).
> > Anyway, it's working!
> >
> > As for how to make THAT relatively automatic... wow, I may need the
> > website Alan proposed.
> >
> > Best,
> > David
> >
> > On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet <
> > chevalier.violet at gmail.com> wrote:
> >
> >> Hi all,
> >>
> >> Thanks for all the thoughts. It's much appreciated to know that maybe
> >> it's not just n00bness that is causing me to struggle with this!
> >>
> >> I ended up making a pw protected page on my website (sigh)--but the
> >> limits of that solution without internet access are pretty obvious I'd
> say!
> >>
> >> And never mind that using TTLS-PAP with passwords saved as SSHA-512
> >> doesn't work on the iphone... !!! That's kinda insane if you ask me. But
> >> obviously apple didn't!
> >>
> >> Getting certs on the iPhone has been a real hassle--it'd be easier with
> >> mac or windows machines around because I could use iTunes, but anyway,
> it
> >> has been done through the website option!
> >>
> >> Now, I can't get EAP-TLS to work on my iPhone because I can't choose
> >> "mode" EAP-TLS. Instead, it continually asks me for the username & pass,
> >> which is precisely what I'm trying to avoid! I think there may be
> someway
> >> to signal that my wifi prefers TLS mode that I don't know about.
> >>
> >> If you have help on that point, that'd be great, and sigh&thanks!
> >>
> >> CV
> >>
> >> PS Indeed my routher is not exactly hotspot 2.0 or captive portal
> >> compliant!
> >>
> >> On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet <
> >> chevalier.violet at gmail.com> wrote:
> >>
> >>> I've been googling around and kind of surprised to not be seeing a ton
> >>> of resources about this. Maybe you all can help!
> >>>
> >>> EAP-TLS: Strategies for getting the right certificate to the right
> user.
> >>> It needs to be relatively automated. I do have users coming by with
> BYOD
> >>> devices, e.g. iPhones (omg they're super finicky about the freeradius
> setup
> >>> but that's another story!), frequently when I'm not around to set them
> up.
> >>>
> >>> Users are starting with no internet access.
> >>>
> >>> I was thinking maybe of the following:
> >>>
> >>> 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
> >>> for guests that would change every so often. Maybe let them use the
> >>> internet either i) for a few minutes at a time or ii) only to access a
> page
> >>> on the internal network from which they could download the guest
> >>> certificate that would allow them to connect via EAP-TLS? 3) the certs
> >>> would expire after a few days.
> >>>
> >>> I have been struggling to get even my own iPhone to have the proper
> >>> cert! On the bright side, my two linux machines are now working with
> >>> EAP-TLS so there's hope for me! I wish I could just put the certs on a
> USB
> >>> key but that doesn't work for phones. And it's a bunch of Linux
> machines,
> >>> no Windows or Macs around. Excuse me if this is a n00b question.
> >>>
> >>> Thanks everyone!
> >>>
> >>> PS At this link:
> >>>
> >>> https://github.com/FreeRADIUS/freeradius-server/issues/2045#
> >>> issuecomment-324641610
> >>>
> >>> Arr2036 mentions that the hot spot 2.0 standards set out how this could
> >>> work, with auto-renewing certs and the whole 9 yards. I wasn't able to
> find
> >>> how to make that work for linux, for instance with freeradius. Thanks!
> >>>
> >>
> >>
> >>
> >> --
> >> "Do not speak, unless it improves on silence."  -- Buddha
> >>
> >>
> >
> >
> > --
> > "Do not speak, unless it improves on silence."  -- Buddha
> >
> >
>
>
> --
> "Do not speak, unless it improves on silence."  -- Buddha
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list