commercial solutions abound - cloudpath ES, Aruba Clearpass, etc etc. if you have a deployment tool (to ensure IOS/OSX devices are locked down etc then you can roll our EAP-TLS with that - likewise Windows deployment tools for MS product line - Chromebooks via Googles MPM etc - Android is the curve ball. if you have a totally independent BYOD (which you dont because you have to set these clients up ;-) ) then things become more interesting (and its difficult to have a half-managed BYOD solution as most of the management platforms are a 'take all of our policies' or 'our policy overrides everything else' or you cant have 2 policies). captive portal (well, walled garden really) allowing only access to the configuration tool is one way.... that could be open SSID, or EAP-PEAP/TTLS based with a public cert and a known local user/pass that is known - after all, this is only getting you onto the walled garden.....so long as there is then some other enrollment process to get you a cert. have written little utils that people log into and then receive a freshly minted cert - open source solutions exist but , to be honest, if you cannot afford the big commercial players than something like http://802.1x-config.org/ (same underlying tool as the free-for-eduroam-users) will be of use... alan On 11 September 2017 at 16:14, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Which is why we use the Cloudpath ES server to configure eap-peap and eap-tls. Using the ES server for OCSP allows us to manage certs as well.
Open wifi network with dnsmasq only get you to a limited set of URLs. Workflow capabilities allow you to tailor what a user sees in terms of config options.
A
On 11 September 2017 at 15:33, Matthew Newton <mcn@freeradius.org> wrote:
On Mon, 2017-09-11 at 10:22 -0400, Chevalier Violet wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
One solution is for an open network with a captive portal (no Internet access), people log in (https, username, password) there, which generates an installer/config, used to the configure the device.
But yes, enrolling on EAP-TLS can be tricky without other certificate/device management systems.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html