EAP-TLS PKI management
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought devices seems tricky. With MDM or AD-joined devices pushing the certificates out are easy. In an environment where "bring your own device" is encouraged, I'm curious how network admins are making client certificate installations easy enough for end users to do. Android 11 change article for reference: https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/ -- Munroe Sollog (He/Him/His) Senior Network Engineer munroe@lehigh.edu
On Jan 20, 2021, at 11:27 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought devices seems tricky.
It definitely becomes harder.
With MDM or AD-joined devices pushing the certificates out are easy. In an environment where "bring your own device" is encouraged, I'm curious how network admins are making client certificate installations easy enough for end users to do.
Use WiFi Passpoint for Hotspot 2.0. Most enterprise APs should support this, and it shouldn't be too hard to configure. Or, MDM or AD, unfortunately. Most systems have now removed the ability for users to manually configure certificate settings. Alan DeKok.
Are suggesting use passpoint to push the cert out, but keep using PEAP, or are you suggesting use passpoint as the vehicle to onboard client certs for EAP-TLS? I guess it could be either? On Wed, Jan 20, 2021 at 11:38 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 20, 2021, at 11:27 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought
devices
seems tricky.
It definitely becomes harder.
With MDM or AD-joined devices pushing the certificates out are easy. In an environment where "bring your own device" is encouraged, I'm curious how network admins are making client certificate installations easy enough for end users to do.
Use WiFi Passpoint for Hotspot 2.0. Most enterprise APs should support this, and it shouldn't be too hard to configure.
Or, MDM or AD, unfortunately. Most systems have now removed the ability for users to manually configure certificate settings.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog (He/Him/His) Senior Network Engineer munroe@lehigh.edu
On Jan 20, 2021, at 11:41 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
Are suggesting use passpoint to push the cert out, but keep using PEAP, or are you suggesting use passpoint as the vehicle to onboard client certs for EAP-TLS?
I guess it could be either?
Passpoint is about client configuration. It's not just for EAP-TLS. We have people using Passpoint for EAP-SIM, for example. It's fine. Alan DeKok.
Thanks for the pointers. I'll investigate. On Wed, Jan 20, 2021 at 11:46 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 20, 2021, at 11:41 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
Are suggesting use passpoint to push the cert out, but keep using PEAP, or are you suggesting use passpoint as the vehicle to onboard client certs for EAP-TLS?
I guess it could be either?
Passpoint is about client configuration. It's not just for EAP-TLS.
We have people using Passpoint for EAP-SIM, for example. It's fine.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog (He/Him/His) Senior Network Engineer munroe@lehigh.edu
Hi In a previous employment we used clouthpath ES (a commercial solution) that allows users to enroll and manage their own certs for EAP-TLS). It's now owned by Ruckus. FreeRADIUS ran the show and we were able to move most PEAP to EAP-TLS (Particularly the BYOD crowd) alan
Am 20.01.21 um 17:27 schrieb Munroe Sollog:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought devices seems tricky.
Neither sure about EAP-TLS nor about Android 11 -- but could you use an app like eduroam CAT? It can be fed any profile, e.g. from local file system or USB-OTG through the file/open dialog. The profile XML format has been defined in an RFC draft: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00 Successors to this app for Android 11+ are in the works, e.g. geteduroam. Here's our eap-config as an example: <?xml version="1.0" encoding="utf-8"?> <EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd"> <EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1"> <AuthenticationMethods> <AuthenticationMethod> <EAPMethod> <Type>25</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <EAPMethod> <Type>26</Type> </EAPMethod> </InnerAuthenticationMethod> </AuthenticationMethod> <AuthenticationMethod> <EAPMethod> <Type>21</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <NonEAPAuthMethod> <Type>1</Type> </NonEAPAuthMethod> </InnerAuthenticationMethod> </AuthenticationMethod> </AuthenticationMethods> <CredentialApplicability> <IEEE80211> <SSID>eduroam</SSID> <MinRSNProto>CCMP</MinRSNProto> </IEEE80211> <IEEE80211> <ConsortiumOID>001bc50460</ConsortiumOID> </IEEE80211> </CredentialApplicability> <ProviderInfo> <DisplayName>Philipps-Universität Marburg - Students Philipps-Universitaet Marburg</DisplayName> <ProviderLocation> <Longitude>8.773955999999998</Longitude> <Latitude>50.8101824</Latitude> </ProviderLocation> <ProviderLocation> <Longitude>8.811504000000014</Longitude> <Latitude>50.8122453</Latitude> </ProviderLocation> <Helpdesk> <EmailAddress>wlan@hrz.uni-marburg.de</EmailAddress> <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress> <Phone>+49 6421 2828282</Phone> </Helpdesk> </ProviderInfo> </EAPIdentityProvider> </EAPIdentityProviderList> -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Hi, Were you able to implement the solution? I am also on the same boat. I would love to hear your work, so that I can get an idea out of it. Thank you. On Thu, 18 Feb 2021 at 23:44, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
Am 20.01.21 um 17:27 schrieb Munroe Sollog:
Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change that removes the ability for the user to "Do Not Validate" the CA certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS seems like the best option, however the onboarding of user-brought devices seems tricky.
Neither sure about EAP-TLS nor about Android 11 -- but could you use an app like eduroam CAT? It can be fed any profile, e.g. from local file system or USB-OTG through the file/open dialog. The profile XML format has been defined in an RFC draft: https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00
Successors to this app for Android 11+ are in the works, e.g. geteduroam.
Here's our eap-config as an example:
<?xml version="1.0" encoding="utf-8"?>
<EAPIdentityProviderList xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd"> <EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1"> <AuthenticationMethods> <AuthenticationMethod> <EAPMethod> <Type>25</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de </InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <EAPMethod> <Type>26</Type> </EAPMethod> </InnerAuthenticationMethod> </AuthenticationMethod> <AuthenticationMethod> <EAPMethod> <Type>21</Type> </EAPMethod> <ServerSideCredential> <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA> <ServerID>radius.students.uni-marburg.de</ServerID> </ServerSideCredential> <ClientSideCredential> <OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity> <InnerIdentitySuffix>students.uni-marburg.de </InnerIdentitySuffix> <InnerIdentityHint>true</InnerIdentityHint> </ClientSideCredential> <InnerAuthenticationMethod> <NonEAPAuthMethod> <Type>1</Type> </NonEAPAuthMethod> </InnerAuthenticationMethod> </AuthenticationMethod> </AuthenticationMethods> <CredentialApplicability> <IEEE80211> <SSID>eduroam</SSID> <MinRSNProto>CCMP</MinRSNProto> </IEEE80211> <IEEE80211> <ConsortiumOID>001bc50460</ConsortiumOID> </IEEE80211> </CredentialApplicability> <ProviderInfo> <DisplayName>Philipps-Universität Marburg - Students Philipps-Universitaet Marburg</DisplayName> <ProviderLocation> <Longitude>8.773955999999998</Longitude> <Latitude>50.8101824</Latitude> </ProviderLocation> <ProviderLocation> <Longitude>8.811504000000014</Longitude> <Latitude>50.8122453</Latitude> </ProviderLocation> <Helpdesk> <EmailAddress>wlan@hrz.uni-marburg.de</EmailAddress> <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress> <Phone>+49 6421 2828282</Phone> </Helpdesk> </ProviderInfo> </EAPIdentityProvider> </EAPIdentityProviderList>
-- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan Buxey -
Alan DeKok -
Burn Zero -
Martin Pauly -
Munroe Sollog