EAP-TLS working but asking for cert

Chevalier Violet chevalier.violet at gmail.com
Tue Sep 26 17:23:05 CEST 2017 

D'accord, merci Stefan!

I found this explanation for how to create the file (yay!). Any tips on how
to embed the files? It's giving instructions on how to sign, but not
entirely sure how to embed the other file.

http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html

And my iPhone is still not recognizing either a signed or unsigned version
of that file. If you have further insights, that would be great! But I get
that essentially this is just poor implementation by Apple folks.

On Tue, Sep 26, 2017 at 5:39 AM, Stefan Winter <stefan.winter at restena.lu>
wrote:

> Hi,
>
> > Alan D: yes I know iOS supports EAP-TLS, I'm just saying that
> > https://802.1x-config.org seems to not support it, or at least
> according to
> > this screen (attached, but not sure that will come through) that I got to
> > when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I
> > can't make a .mobileconfig file using that suggested site, at least not
> for
> > EAP-TLS for iOS. But please do correct me if I'm wrong!
>
> Yes that's correct. For proper operation, the mobileconfig profile needs
> to embed the client (p12) cert along with all other Wi-Fi settings (such
> as the CA cert).
>
> Since 802.1x-config.org does not want your private information (such as
> the private key to the client cert), it's not possible to deliver a good
> profile.
>
> > Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it
> > can only be downloaded with a mac. I guess that could be arranged but boy
> > if either of you have a better idea, that would be great!
> >
> > I added the ca.pem cert to my Linux connection--I hope that means that
> > rogue APs can't connect with me anymore!
>
> If done right, that's correct. Note that 802.1x-config.org does support
> EAP_TLS for Linux, and it pushes all the knobs so that the resulting
> config /is/ correct.
>
> Greetings,
>
> Stefan
>
> > Thanks--if y'all have insights, that would be great.
> >
> > On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey at gmail.com>
> wrote:
> >
> >> Apple provide a tool to make mobileconfig profiles
> >>
> >> alan
> >>
> >> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet at gmail.com
> >
> >> wrote:
> >>
> >>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing,
> >> with
> >>> just a basic EAP-TLS config, it says it's not compatible with iOS.
> >> Correct
> >>> me if I'm wrong?
> >>>
> >>> And thanks--to know that there's not many ways to make a mobileconfig
> is
> >>> good to know!
> >>>
> >>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland at deployingradius.com
> >
> >>> wrote:
> >>>
> >>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet <
> >>> chevalier.violet at gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess
> >>>>> that's all right.
> >>>>>
> >>>>> For the iPhone, are there any instructions for how to make the proper
> >>>> certs
> >>>>> via make client, etc. in the /etc/freeradius/certs directory? I
> >> thought
> >>>> the
> >>>>> .p12 certs were made for mobile devices like the iPhone. If you're
> >>>> telling
> >>>>> me to run some kind of mobileconfig command, I'm not sure what it is.
> >>>>
> >>>>   The point is you have to create a "mobileconfig" file for OSX.  That
> >>>> file contains information about the certificate, SSID, EAP method to
> >> use,
> >>>> etc.
> >>>>
> >>>>   Right now, there aren't really many tools to create such files.  See
> >>>> http://802.1x-config.org/ for one example.
> >>>>
> >>>>   Alan DeKok.
> >>>>
> >>>>
> >>>> -
> >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >>>> list/users.html
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> "Do not speak, unless it improves on silence."  -- Buddha
> >>> -
> >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >>> list/users.html
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> >> list/users.html
> >>
> >
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>



-- 
"Do not speak, unless it improves on silence."  -- Buddha

More information about the Freeradius-Users mailing list