Am 20.01.21 um 17:27 schrieb Munroe Sollog:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought devices seems tricky.
Neither sure about EAP-TLS nor about Android 11 -- but could you use an app like eduroam CAT? It can be fed any profile, e.g. from local file system or USB-OTG through the file/open dialog. The profile XML format has been defined in an RFC draft: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00 Successors to this app for Android 11+ are in the works, e.g. geteduroam. Here's our eap-config as an example: <?xml version="1.0" encoding="utf-8"?> <EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd"> <EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1"> <AuthenticationMethods> <AuthenticationMethod> <EAPMethod> <Type>25</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <EAPMethod> <Type>26</Type> </EAPMethod> </InnerAuthenticationMethod> </AuthenticationMethod> <AuthenticationMethod> <EAPMethod> <Type>21</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <NonEAPAuthMethod> <Type>1</Type> </NonEAPAuthMethod> </InnerAuthenticationMethod> </AuthenticationMethod> </AuthenticationMethods> <CredentialApplicability> <IEEE80211> <SSID>eduroam</SSID> <MinRSNProto>CCMP</MinRSNProto> </IEEE80211> <IEEE80211> <ConsortiumOID>001bc50460</ConsortiumOID> </IEEE80211> </CredentialApplicability> <ProviderInfo> <DisplayName>Philipps-Universität Marburg - Students Philipps-Universitaet Marburg</DisplayName> <ProviderLocation> <Longitude>8.773955999999998</Longitude> <Latitude>50.8101824</Latitude> </ProviderLocation> <ProviderLocation> <Longitude>8.811504000000014</Longitude> <Latitude>50.8122453</Latitude> </ProviderLocation> <Helpdesk> <EmailAddress>wlan@hrz.uni-marburg.de</EmailAddress> <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress> <Phone>+49 6421 2828282</Phone> </Helpdesk> </ProviderInfo> </EAPIdentityProvider> </EAPIdentityProviderList> -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg