27 Sep
2017
27 Sep
'17
7:54 a.m.
Hi, attached is an example of an embedded EAP-TLS client credential. I obviously cut out most of the actual file but it gives you an idea of the structure. Stefan On 26.09.17 17:23, Chevalier Violet wrote: > D'accord, merci Stefan! > > I found this explanation for how to create the file (yay!). Any tips on how > to embed the files? It's giving instructions on how to sign, but not > entirely sure how to embed the other file. > > http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html > > And my iPhone is still not recognizing either a signed or unsigned version > of that file. If you have further insights, that would be great! But I get > that essentially this is just poor implementation by Apple folks. > > On Tue, Sep 26, 2017 at 5:39 AM, Stefan Winter <stefan.winter@restena.lu> > wrote: > >> Hi, >> >>> Alan D: yes I know iOS supports EAP-TLS, I'm just saying that >>> https://802.1x-config.org seems to not support it, or at least >> according to >>> this screen (attached, but not sure that will come through) that I got to >>> when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I >>> can't make a .mobileconfig file using that suggested site, at least not >> for >>> EAP-TLS for iOS. But please do correct me if I'm wrong! >> Yes that's correct. For proper operation, the mobileconfig profile needs >> to embed the client (p12) cert along with all other Wi-Fi settings (such >> as the CA cert). >> >> Since 802.1x-config.org does not want your private information (such as >> the private key to the client cert), it's not possible to deliver a good >> profile. >> >>> Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it >>> can only be downloaded with a mac. I guess that could be arranged but boy >>> if either of you have a better idea, that would be great! >>> >>> I added the ca.pem cert to my Linux connection--I hope that means that >>> rogue APs can't connect with me anymore! >> If done right, that's correct. Note that 802.1x-config.org does support >> EAP_TLS for Linux, and it pushes all the knobs so that the resulting >> config /is/ correct. >> >> Greetings, >> >> Stefan >> >>> Thanks--if y'all have insights, that would be great. >>> >>> On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> >> wrote: >>>> Apple provide a tool to make mobileconfig profiles >>>> >>>> alan >>>> >>>> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com >>>> wrote: >>>> >>>>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing, >>>> with >>>>> just a basic EAP-TLS config, it says it's not compatible with iOS. >>>> Correct >>>>> me if I'm wrong? >>>>> >>>>> And thanks--to know that there's not many ways to make a mobileconfig >> is >>>>> good to know! >>>>> >>>>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com >>>>> wrote: >>>>> >>>>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet < >>>>> chevalier.violet@gmail.com> >>>>>> wrote: >>>>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess >>>>>>> that's all right. >>>>>>> >>>>>>> For the iPhone, are there any instructions for how to make the proper >>>>>> certs >>>>>>> via make client, etc. in the /etc/freeradius/certs directory? I >>>> thought >>>>>> the >>>>>>> .p12 certs were made for mobile devices like the iPhone. If you're >>>>>> telling >>>>>>> me to run some kind of mobileconfig command, I'm not sure what it is. >>>>>> The point is you have to create a "mobileconfig" file for OSX. That >>>>>> file contains information about the certificate, SSID, EAP method to >>>> use, >>>>>> etc. >>>>>> >>>>>> Right now, there aren't really many tools to create such files. See >>>>>> http://802.1x-config.org/ for one example. >>>>>> >>>>>> Alan DeKok. >>>>>> >>>>>> >>>>>> - >>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>>>> list/users.html >>>>>> >>>>> >>>>> >>>>> -- >>>>> "Do not speak, unless it improves on silence." -- Buddha >>>>> - >>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>>> list/users.html >>>> - >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>> list/users.html >>>> >>> >>> >>> >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html >> >> -- >> Stefan WINTER >> Ingenieur de Recherche >> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et >> de la Recherche >> 2, avenue de l'Université >> L-4365 Esch-sur-Alzette >> >> Tel: +352 424409 1 >> Fax: +352 422473 >> >> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the >> recipient's key is known to me >> >> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 >> > >