On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc@bcsc.k12.in.us> wrote:
What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android.
That *might* work. However... many systems have known root CAs enabled for web surfing, but disabled for EAP. Which means the only way to get WiFi working is to ??? somehow enable / add a root CA. I've been arguing this point with the various standards bodies for a while. Apparently the people who interact with customers are few and far between there. So things hated by real people just aren't a priority to fix in the standards. :(
Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
I've bene trying to do the same thing for a while. it's hard. The simple answer is things like Eduroam CAT: https://cat.eduroam.org/ It get you a simple tool to configure end-user machines. But it means you should be part of Eduroam. Which you might want to do anyways...
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure.
"Here be dragons" :( OS / Phone vendors randomly change requirements, UI, processes, work flows, etc. for WiFi configuration. It's a huge problem. Alan DeKok.