On Sep 11, 2017, at 10:22 AM, Chevalier Violet <chevalier.violet@gmail.com> wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
You need an automated system. See http://802.1x-config.org for an example/ The sad truth is that many systems (cough ANDROID) don't have provisions for automatically provisioning WiFi credentials. Which pretty much means you need to do it manually.q
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
That may work...
I have been struggling to get even my own iPhone to have the proper cert!
What's going wrong?
On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
It's everyone's question. If only there was a standard for this, everyone's lives would be easier.
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
You'll need an AP capable of Hotspot 2.0, and a captive portal capable of hotspot 2.0. That's the hard part. The FreeRADIUS portion is easy. Alan DeKok.