EAP-TLS and IOS 13

Alan DeKok aland at deployingradius.com
Mon Nov 4 21:42:14 CET 2019

On Nov 4, 2019, at 2:18 PM, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
> I love *pple. And by love I mean exactly the opposite.....Regardless, my many thanks to all that assisted with my tribulations and blatherings regarding getting ipads and Win10 machines working with an EAP-TLS environment. As of this morning I had everything migrated, wiped, re-tested, full bare-metal automation tested and ready to deploy to the minions. I had a very happy moment.
> Until someone walked in with an ipad that they just upgraded to IOS 13.


> tl/dr: IOS13 introduces more stringent compliance for certificates (https://support.apple.com/en-us/HT210176) and that means certificates that used to work for EAP, now do not install - well that's not true. They install, they say they're verified, but the ipad does not recognize them as useful, and ONLY presents a TTLS-like connection interface (username and password, instead of certificate and identity). They simply sit there all happy and useless. (BTW, manual cert install is now an 8 page document in my library, including download, allow,accept, enable Cert Trust Settings, install, validate and....then watch do nothing.) Since the ipad does not present a tls transaction, FR3 doesn't participate. I am not using EAP-TTLS, so that module does exactly what is it supposed to do - find no verified username and reject.
> I've used my google-fu to get the basic idea of modifying the openssl commands to include the EKU, and sha2, but some of the other requirements I'm not sure about implementing. The "no longer than 2 years" is also a PITA. Either way, has anyone worked out a magic bullet for this yet? Amazingly, M$ is no longer on my hated list - the Win10 machines are now in the "it simply works" category! Longing to learn from the masters, yet again!

  The scripts in raddb/certs/ *should* work.  You don't need any OpenSSL magic.  They already have the EKU.  They're already set to use SHA256, which is fine.

  The only additional magic which is necessary is the subjectAltName stuff.  That's easy enough to do.  I've pushed fixes to v3.0.x:


  Please download that and try the certificate scripts in raddb/certs/

  Alan DeKok.

More information about the Freeradius-Users mailing list