Are suggesting use passpoint to push the cert out, but keep using PEAP, or are you suggesting use passpoint as the vehicle to onboard client certs for EAP-TLS? I guess it could be either? On Wed, Jan 20, 2021 at 11:38 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 20, 2021, at 11:27 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought
devices
seems tricky.
It definitely becomes harder.
With MDM or AD-joined devices pushing the certificates out are easy. In an environment where "bring your own device" is encouraged, I'm curious how network admins are making client certificate installations easy enough for end users to do.
Use WiFi Passpoint for Hotspot 2.0. Most enterprise APs should support this, and it shouldn't be too hard to configure.
Or, MDM or AD, unfortunately. Most systems have now removed the ability for users to manually configure certificate settings.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog (He/Him/His) Senior Network Engineer munroe@lehigh.edu