EAP-TLS and IOS 13

Ted Hyde (RSI) thyde at rndstudio.com
Mon Nov 4 20:18:47 CET 2019

I love *pple. And by love I mean exactly the opposite.....Regardless, my 
many thanks to all that assisted with my tribulations and blatherings 
regarding getting ipads and Win10 machines working with an EAP-TLS 
environment. As of this morning I had everything migrated, wiped, 
re-tested, full bare-metal automation tested and ready to deploy to the 
minions. I had a very happy moment.

Until someone walked in with an ipad that they just upgraded to IOS 13.

tl/dr: IOS13 introduces more stringent compliance for certificates 
(https://support.apple.com/en-us/HT210176) and that means certificates 
that used to work for EAP, now do not install - well that's not true. 
They install, they say they're verified, but the ipad does not recognize 
them as useful, and ONLY presents a TTLS-like connection interface 
(username and password, instead of certificate and identity). They 
simply sit there all happy and useless. (BTW, manual cert install is now 
an 8 page document in my library, including download, allow,accept, 
enable Cert Trust Settings, install, validate and....then watch do 
nothing.) Since the ipad does not present a tls transaction, FR3 doesn't 
participate. I am not using EAP-TTLS, so that module does exactly what 
is it supposed to do - find no verified username and reject.

I've used my google-fu to get the basic idea of modifying the openssl 
commands to include the EKU, and sha2, but some of the other 
requirements I'm not sure about implementing. The "no longer than 2 
years" is also a PITA. Either way, has anyone worked out a magic bullet 
for this yet? Amazingly, M$ is no longer on my hated list - the Win10 
machines are now in the "it simply works" category! Longing to learn 
from the masters, yet again!



On 11/1/2019 6:56 PM, freeradius-users-request at lists.freeradius.org wrote:
> Message: 6
> Date: Fri, 1 Nov 2019 16:22:30 -0400
> From: "Ted Hyde (RSI)"<thyde at rndstudio.com>
> To:freeradius-users at lists.freeradius.org
> Subject: Migrating FR3 instance


More information about the Freeradius-Users mailing list