26 Sep
2017
26 Sep
'17
5:39 a.m.
Hi, > Alan D: yes I know iOS supports EAP-TLS, I'm just saying that > https://802.1x-config.org seems to not support it, or at least according to > this screen (attached, but not sure that will come through) that I got to > when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I > can't make a .mobileconfig file using that suggested site, at least not for > EAP-TLS for iOS. But please do correct me if I'm wrong! Yes that's correct. For proper operation, the mobileconfig profile needs to embed the client (p12) cert along with all other Wi-Fi settings (such as the CA cert). Since 802.1x-config.org does not want your private information (such as the private key to the client cert), it's not possible to deliver a good profile. > Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it > can only be downloaded with a mac. I guess that could be arranged but boy > if either of you have a better idea, that would be great! > > I added the ca.pem cert to my Linux connection--I hope that means that > rogue APs can't connect with me anymore! If done right, that's correct. Note that 802.1x-config.org does support EAP_TLS for Linux, and it pushes all the knobs so that the resulting config /is/ correct. Greetings, Stefan > Thanks--if y'all have insights, that would be great. > > On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> wrote: > >> Apple provide a tool to make mobileconfig profiles >> >> alan >> >> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com> >> wrote: >> >>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing, >> with >>> just a basic EAP-TLS config, it says it's not compatible with iOS. >> Correct >>> me if I'm wrong? >>> >>> And thanks--to know that there's not many ways to make a mobileconfig is >>> good to know! >>> >>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com> >>> wrote: >>> >>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet < >>> chevalier.violet@gmail.com> >>>> wrote: >>>>> >>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess >>>>> that's all right. >>>>> >>>>> For the iPhone, are there any instructions for how to make the proper >>>> certs >>>>> via make client, etc. in the /etc/freeradius/certs directory? I >> thought >>>> the >>>>> .p12 certs were made for mobile devices like the iPhone. If you're >>>> telling >>>>> me to run some kind of mobileconfig command, I'm not sure what it is. >>>> >>>> The point is you have to create a "mobileconfig" file for OSX. That >>>> file contains information about the certificate, SSID, EAP method to >> use, >>>> etc. >>>> >>>> Right now, there aren't really many tools to create such files. See >>>> http://802.1x-config.org/ for one example. >>>> >>>> Alan DeKok. >>>> >>>> >>>> - >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>> list/users.html >>>> >>> >>> >>> >>> -- >>> "Do not speak, unless it improves on silence." -- Buddha >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>> list/users.html >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html >> > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66