EAP-TLS: Strategies for getting the right certificate to the right user
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help! EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up. Users are starting with no internet access. I was thinking maybe of the following: 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days. I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question. Thanks everyone! PS At this link: https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610 Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
On Sep 11, 2017, at 10:22 AM, Chevalier Violet <chevalier.violet@gmail.com> wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
You need an automated system. See http://802.1x-config.org for an example/ The sad truth is that many systems (cough ANDROID) don't have provisions for automatically provisioning WiFi credentials. Which pretty much means you need to do it manually.q
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
That may work...
I have been struggling to get even my own iPhone to have the proper cert!
What's going wrong?
On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
It's everyone's question. If only there was a standard for this, everyone's lives would be easier.
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
You'll need an AP capable of Hotspot 2.0, and a captive portal capable of hotspot 2.0. That's the hard part. The FreeRADIUS portion is easy. Alan DeKok.
On Mon, 2017-09-11 at 10:22 -0400, Chevalier Violet wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
One solution is for an open network with a captive portal (no Internet access), people log in (https, username, password) there, which generates an installer/config, used to the configure the device. But yes, enrolling on EAP-TLS can be tricky without other certificate/device management systems. -- Matthew
Which is why we use the Cloudpath ES server to configure eap-peap and eap-tls. Using the ES server for OCSP allows us to manage certs as well. Open wifi network with dnsmasq only get you to a limited set of URLs. Workflow capabilities allow you to tailor what a user sees in terms of config options. A On 11 September 2017 at 15:33, Matthew Newton <mcn@freeradius.org> wrote:
On Mon, 2017-09-11 at 10:22 -0400, Chevalier Violet wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
One solution is for an open network with a captive portal (no Internet access), people log in (https, username, password) there, which generates an installer/config, used to the configure the device.
But yes, enrolling on EAP-TLS can be tricky without other certificate/device management systems.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
commercial solutions abound - cloudpath ES, Aruba Clearpass, etc etc. if you have a deployment tool (to ensure IOS/OSX devices are locked down etc then you can roll our EAP-TLS with that - likewise Windows deployment tools for MS product line - Chromebooks via Googles MPM etc - Android is the curve ball. if you have a totally independent BYOD (which you dont because you have to set these clients up ;-) ) then things become more interesting (and its difficult to have a half-managed BYOD solution as most of the management platforms are a 'take all of our policies' or 'our policy overrides everything else' or you cant have 2 policies). captive portal (well, walled garden really) allowing only access to the configuration tool is one way.... that could be open SSID, or EAP-PEAP/TTLS based with a public cert and a known local user/pass that is known - after all, this is only getting you onto the walled garden.....so long as there is then some other enrollment process to get you a cert. have written little utils that people log into and then receive a freshly minted cert - open source solutions exist but , to be honest, if you cannot afford the big commercial players than something like http://802.1x-config.org/ (same underlying tool as the free-for-eduroam-users) will be of use... alan On 11 September 2017 at 16:14, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Which is why we use the Cloudpath ES server to configure eap-peap and eap-tls. Using the ES server for OCSP allows us to manage certs as well.
Open wifi network with dnsmasq only get you to a limited set of URLs. Workflow capabilities allow you to tailor what a user sees in terms of config options.
A
On 11 September 2017 at 15:33, Matthew Newton <mcn@freeradius.org> wrote:
On Mon, 2017-09-11 at 10:22 -0400, Chevalier Violet wrote:
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
One solution is for an open network with a captive portal (no Internet access), people log in (https, username, password) there, which generates an installer/config, used to the configure the device.
But yes, enrolling on EAP-TLS can be tricky without other certificate/device management systems.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, Thanks for all the thoughts. It's much appreciated to know that maybe it's not just n00bness that is causing me to struggle with this! I ended up making a pw protected page on my website (sigh)--but the limits of that solution without internet access are pretty obvious I'd say! And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't work on the iphone... !!! That's kinda insane if you ask me. But obviously apple didn't! Getting certs on the iPhone has been a real hassle--it'd be easier with mac or windows machines around because I could use iTunes, but anyway, it has been done through the website option! Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode" EAP-TLS. Instead, it continually asks me for the username & pass, which is precisely what I'm trying to avoid! I think there may be someway to signal that my wifi prefers TLS mode that I don't know about. If you have help on that point, that'd be great, and sigh&thanks! CV PS Indeed my routher is not exactly hotspot 2.0 or captive portal compliant! On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
-- "Do not speak, unless it improves on silence." -- Buddha
Update: I got my iPhone working. I think the problem was that I needed to import the client.p12 cert (helpfully mentioned not very often of course). Anyway, it's working! As for how to make THAT relatively automatic... wow, I may need the website Alan proposed. Best, David On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
Hi all,
Thanks for all the thoughts. It's much appreciated to know that maybe it's not just n00bness that is causing me to struggle with this!
I ended up making a pw protected page on my website (sigh)--but the limits of that solution without internet access are pretty obvious I'd say!
And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't work on the iphone... !!! That's kinda insane if you ask me. But obviously apple didn't!
Getting certs on the iPhone has been a real hassle--it'd be easier with mac or windows machines around because I could use iTunes, but anyway, it has been done through the website option!
Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode" EAP-TLS. Instead, it continually asks me for the username & pass, which is precisely what I'm trying to avoid! I think there may be someway to signal that my wifi prefers TLS mode that I don't know about.
If you have help on that point, that'd be great, and sigh&thanks!
CV
PS Indeed my routher is not exactly hotspot 2.0 or captive portal compliant!
On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
-- "Do not speak, unless it improves on silence." -- Buddha
-- "Do not speak, unless it improves on silence." -- Buddha
PS Alan (Buxley), it seems that apple no longer supports the Apple Configurator for Windows. ($#!π) On Tue, Sep 12, 2017 at 1:00 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
Update: I got my iPhone working. I think the problem was that I needed to import the client.p12 cert (helpfully mentioned not very often of course). Anyway, it's working!
As for how to make THAT relatively automatic... wow, I may need the website Alan proposed.
Best, David
On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
Hi all,
Thanks for all the thoughts. It's much appreciated to know that maybe it's not just n00bness that is causing me to struggle with this!
I ended up making a pw protected page on my website (sigh)--but the limits of that solution without internet access are pretty obvious I'd say!
And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't work on the iphone... !!! That's kinda insane if you ask me. But obviously apple didn't!
Getting certs on the iPhone has been a real hassle--it'd be easier with mac or windows machines around because I could use iTunes, but anyway, it has been done through the website option!
Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode" EAP-TLS. Instead, it continually asks me for the username & pass, which is precisely what I'm trying to avoid! I think there may be someway to signal that my wifi prefers TLS mode that I don't know about.
If you have help on that point, that'd be great, and sigh&thanks!
CV
PS Indeed my routher is not exactly hotspot 2.0 or captive portal compliant!
On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
-- "Do not speak, unless it improves on silence." -- Buddha
-- "Do not speak, unless it improves on silence." -- Buddha
-- "Do not speak, unless it improves on silence." -- Buddha
Yep. Why would they when you can run it on a Mac instead? ;) You can actually construct the files yourself. Once you've seen the output the format is self evident alan On 13 Sep 2017 4:12 pm, "Chevalier Violet" <chevalier.violet@gmail.com> wrote:
PS Alan (Buxley), it seems that apple no longer supports the Apple Configurator for Windows. ($#!π)
On Tue, Sep 12, 2017 at 1:00 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
Update: I got my iPhone working. I think the problem was that I needed to import the client.p12 cert (helpfully mentioned not very often of course). Anyway, it's working!
As for how to make THAT relatively automatic... wow, I may need the website Alan proposed.
Best, David
On Tue, Sep 12, 2017 at 12:29 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
Hi all,
Thanks for all the thoughts. It's much appreciated to know that maybe it's not just n00bness that is causing me to struggle with this!
I ended up making a pw protected page on my website (sigh)--but the limits of that solution without internet access are pretty obvious I'd say!
And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't work on the iphone... !!! That's kinda insane if you ask me. But obviously apple didn't!
Getting certs on the iPhone has been a real hassle--it'd be easier with mac or windows machines around because I could use iTunes, but anyway, it has been done through the website option!
Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode" EAP-TLS. Instead, it continually asks me for the username & pass, which is precisely what I'm trying to avoid! I think there may be someway to signal that my wifi prefers TLS mode that I don't know about.
If you have help on that point, that'd be great, and sigh&thanks!
CV
PS Indeed my routher is not exactly hotspot 2.0 or captive portal compliant!
On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
-- "Do not speak, unless it improves on silence." -- Buddha
-- "Do not speak, unless it improves on silence." -- Buddha
-- "Do not speak, unless it improves on silence." -- Buddha - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Getting certs onto the iPhone is fairly easy if you just use a .mobileconfig profile deployment file , as can be created with the apple tools, manually or with commercial tools :) alan On 12 Sep 2017 5:31 am, "Chevalier Violet" <chevalier.violet@gmail.com> wrote:
Hi all,
Thanks for all the thoughts. It's much appreciated to know that maybe it's not just n00bness that is causing me to struggle with this!
I ended up making a pw protected page on my website (sigh)--but the limits of that solution without internet access are pretty obvious I'd say!
And never mind that using TTLS-PAP with passwords saved as SSHA-512 doesn't work on the iphone... !!! That's kinda insane if you ask me. But obviously apple didn't!
Getting certs on the iPhone has been a real hassle--it'd be easier with mac or windows machines around because I could use iTunes, but anyway, it has been done through the website option!
Now, I can't get EAP-TLS to work on my iPhone because I can't choose "mode" EAP-TLS. Instead, it continually asks me for the username & pass, which is precisely what I'm trying to avoid! I think there may be someway to signal that my wifi prefers TLS mode that I don't know about.
If you have help on that point, that'd be great, and sigh&thanks!
CV
PS Indeed my routher is not exactly hotspot 2.0 or captive portal compliant!
On Mon, Sep 11, 2017 at 10:22 AM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I've been googling around and kind of surprised to not be seeing a ton of resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It needs to be relatively automated. I do have users coming by with BYOD devices, e.g. iPhones (omg they're super finicky about the freeradius setup but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password for guests that would change every so often. Maybe let them use the internet either i) for a few minutes at a time or ii) only to access a page on the internal network from which they could download the guest certificate that would allow them to connect via EAP-TLS? 3) the certs would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert! On the bright side, my two linux machines are now working with EAP-TLS so there's hope for me! I wish I could just put the certs on a USB key but that doesn't work for phones. And it's a bunch of Linux machines, no Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045# issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could work, with auto-renewing certs and the whole 9 yards. I wasn't able to find how to make that work for linux, for instance with freeradius. Thanks!
-- "Do not speak, unless it improves on silence." -- Buddha - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (5)
-
Alan Buxey -
Alan DeKok -
Alex Sharaz -
Chevalier Violet -
Matthew Newton