I love *pple. And by love I mean exactly the opposite.....Regardless, my many thanks to all that assisted with my tribulations and blatherings regarding getting ipads and Win10 machines working with an EAP-TLS environment. As of this morning I had everything migrated, wiped, re-tested, full bare-metal automation tested and ready to deploy to the minions. I had a very happy moment. Until someone walked in with an ipad that they just upgraded to IOS 13. tl/dr: IOS13 introduces more stringent compliance for certificates (https://support.apple.com/en-us/HT210176) and that means certificates that used to work for EAP, now do not install - well that's not true. They install, they say they're verified, but the ipad does not recognize them as useful, and ONLY presents a TTLS-like connection interface (username and password, instead of certificate and identity). They simply sit there all happy and useless. (BTW, manual cert install is now an 8 page document in my library, including download, allow,accept, enable Cert Trust Settings, install, validate and....then watch do nothing.) Since the ipad does not present a tls transaction, FR3 doesn't participate. I am not using EAP-TTLS, so that module does exactly what is it supposed to do - find no verified username and reject. I've used my google-fu to get the basic idea of modifying the openssl commands to include the EKU, and sha2, but some of the other requirements I'm not sure about implementing. The "no longer than 2 years" is also a PITA. Either way, has anyone worked out a magic bullet for this yet? Amazingly, M$ is no longer on my hated list - the Win10 machines are now in the "it simply works" category! Longing to learn from the masters, yet again! Thanks, Ted. On 11/1/2019 6:56 PM, freeradius-users-request@lists.freeradius.org wrote:
Message: 6 Date: Fri, 1 Nov 2019 16:22:30 -0400 From: "Ted Hyde (RSI)"<thyde@rndstudio.com> To:freeradius-users@lists.freeradius.org Subject: Migrating FR3 instance
--
On Nov 4, 2019, at 2:18 PM, Ted Hyde (RSI) <thyde@rndstudio.com> wrote:
I love *pple. And by love I mean exactly the opposite.....Regardless, my many thanks to all that assisted with my tribulations and blatherings regarding getting ipads and Win10 machines working with an EAP-TLS environment. As of this morning I had everything migrated, wiped, re-tested, full bare-metal automation tested and ready to deploy to the minions. I had a very happy moment.
Until someone walked in with an ipad that they just upgraded to IOS 13.
Oops.
tl/dr: IOS13 introduces more stringent compliance for certificates (https://support.apple.com/en-us/HT210176) and that means certificates that used to work for EAP, now do not install - well that's not true. They install, they say they're verified, but the ipad does not recognize them as useful, and ONLY presents a TTLS-like connection interface (username and password, instead of certificate and identity). They simply sit there all happy and useless. (BTW, manual cert install is now an 8 page document in my library, including download, allow,accept, enable Cert Trust Settings, install, validate and....then watch do nothing.) Since the ipad does not present a tls transaction, FR3 doesn't participate. I am not using EAP-TTLS, so that module does exactly what is it supposed to do - find no verified username and reject.
I've used my google-fu to get the basic idea of modifying the openssl commands to include the EKU, and sha2, but some of the other requirements I'm not sure about implementing. The "no longer than 2 years" is also a PITA. Either way, has anyone worked out a magic bullet for this yet? Amazingly, M$ is no longer on my hated list - the Win10 machines are now in the "it simply works" category! Longing to learn from the masters, yet again!
The scripts in raddb/certs/ *should* work. You don't need any OpenSSL magic. They already have the EKU. They're already set to use SHA256, which is fine. The only additional magic which is necessary is the subjectAltName stuff. That's easy enough to do. I've pushed fixes to v3.0.x: https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x Please download that and try the certificate scripts in raddb/certs/ Alan DeKok.
[Replying direct, so as not to clutter the list/thread.] Ted - I'm probably hours to a day or two from trying to setup the same on a fleet of iPads. Given the back-and-forth, I'm not at all clear what the "solution" is. I'd be eternally grateful if you'd post a summary of the issues, especially once you fix them, to the list. :) It doesn't sound like we really understand all the issues with certs [2 years lifetime limit, really? - My certs generally have 10y lifetimes! I don't want to push new certs to all the ipads in two years!] - but again, as it becomes clear, it would be a super big help to me. [I'm certainly fluent on istuff - but it's often weird and hard to figure out how to make it work on both Windows and iOS/MacOS - at least without generating certs/keys in formats specially for Apple stuff. [p12's for example] [I use GNUTLS for CA/cert/key generation - so I'll have to find a way to do it there, or use openssl - we'll see.] Anyway - Thanks in advance! -Greg THR> I love *pple. And by love I mean exactly the opposite.....Regardless, my THR> many thanks to all that assisted with my tribulations and blatherings THR> regarding getting ipads and Win10 machines working with an EAP-TLS THR> environment. As of this morning I had everything migrated, wiped, THR> re-tested, full bare-metal automation tested and ready to deploy to the THR> minions. I had a very happy moment. THR> Until someone walked in with an ipad that they just upgraded to IOS 13. THR> tl/dr: IOS13 introduces more stringent compliance for certificates THR> (https://support.apple.com/en-us/HT210176) and that means certificates THR> that used to work for EAP, now do not install - well that's not true. THR> They install, they say they're verified, but the ipad does not recognize THR> them as useful, and ONLY presents a TTLS-like connection interface THR> (username and password, instead of certificate and identity). They THR> simply sit there all happy and useless. (BTW, manual cert install is now THR> an 8 page document in my library, including download, allow,accept, THR> enable Cert Trust Settings, install, validate and....then watch do THR> nothing.) Since the ipad does not present a tls transaction, FR3 doesn't THR> participate. I am not using EAP-TTLS, so that module does exactly what THR> is it supposed to do - find no verified username and reject. THR> I've used my google-fu to get the basic idea of modifying the openssl THR> commands to include the EKU, and sha2, but some of the other THR> requirements I'm not sure about implementing. The "no longer than 2 THR> years" is also a PITA. Either way, has anyone worked out a magic bullet THR> for this yet? Amazingly, M$ is no longer on my hated list - the Win10 THR> machines are now in the "it simply works" category! Longing to learn THR> from the masters, yet again! THR> Thanks, THR> Ted.
participants (3)
-
Alan DeKok -
Gregory Sloop -
Ted Hyde (RSI)