On Sep 17, 2020, at 3:20 PM, Evan Sharp <evan.sharp@coastmountainacademy.ca> wrote:
No. They are using their Google Cloud Identity credentials since freeRADIUS is binding on Google Secure LDAP.
*Something* is telling the devices to allow your CA. This does *not* happen automatically.
Is it possible that the AP controller is not passing the cert request back to the supplicant and instead is answering RADIUS with the key I installed?
I have no idea what that means. What "key" you installed? The AP doesn't do certs, and doesn't know about them. It just passes packets back and forth between the end-user device, and the RADIUS server.
This would explain how a tunnel is being established without a cert on the BYOD. Midway in the first passthrough:
The end user device DOES have a certificate configured.
1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize 2. (0) [eap] = ok
That's just the start of the EAP conversation. It is LONG before any certificate exchange. Alan DeKok.