EAP-TLS working but asking for cert
Hi all, Trying to get the hang of this EAP-TLS thing on my iPhone. I did finally get a p12 cert working on my phone. But now when I connect, it asks me to trust a cert. I've tried installing the ca.pem and the ca.der on my iPhone several times now, no luck. Similarly, when I connect via Linux, I'm able to do so without showing my ca.pem. But Linux doesn't ask me to trust a cert--any clues what's going on? Let me know if there are config file I can help you have? CV! -- "Do not speak, unless it improves on silence." -- Buddha
use a mobileconfig provisin for the iOS device for the Linux box - its set to be stupidly insecure by default, you need to configure the supplicant to only trust a particular CA (the joy of Linux is that unlike eg iOS/OSX/Windows et al) there isnt really a standard proper single CA location for all tools/OS to use - a few of them use the /etc/pki/ OpenSSL location, others use their own cert store. alan On 25 September 2017 at 21:06, Chevalier Violet <chevalier.violet@gmail.com> wrote:
Hi all,
Trying to get the hang of this EAP-TLS thing on my iPhone. I did finally get a p12 cert working on my phone. But now when I connect, it asks me to trust a cert.
I've tried installing the ca.pem and the ca.der on my iPhone several times now, no luck.
Similarly, when I connect via Linux, I'm able to do so without showing my ca.pem. But Linux doesn't ask me to trust a cert--any clues what's going on?
Let me know if there are config file I can help you have?
CV!
-- "Do not speak, unless it improves on silence." -- Buddha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I mean, I can manually ask Linux to use the CA that I set, so I guess that's all right. For the iPhone, are there any instructions for how to make the proper certs via make client, etc. in the /etc/freeradius/certs directory? I thought the .p12 certs were made for mobile devices like the iPhone. If you're telling me to run some kind of mobileconfig command, I'm not sure what it is. On Mon, Sep 25, 2017 at 4:10 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
use a mobileconfig provisin for the iOS device
for the Linux box - its set to be stupidly insecure by default, you need to configure the supplicant to only trust a particular CA (the joy of Linux is that unlike eg iOS/OSX/Windows et al) there isnt really a standard proper single CA location for all tools/OS to use - a few of them use the /etc/pki/ OpenSSL location, others use their own cert store.
alan
Hi all,
Trying to get the hang of this EAP-TLS thing on my iPhone. I did finally get a p12 cert working on my phone. But now when I connect, it asks me to trust a cert.
I've tried installing the ca.pem and the ca.der on my iPhone several times now, no luck.
Similarly, when I connect via Linux, I'm able to do so without showing my ca.pem. But Linux doesn't ask me to trust a cert--any clues what's going on?
Let me know if there are config file I can help you have?
CV!
-- "Do not speak, unless it improves on silence." -- Buddha - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 25 September 2017 at 21:06, Chevalier Violet <chevalier.violet@gmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- "Do not speak, unless it improves on silence." -- Buddha
On Sep 25, 2017, at 4:31 PM, Chevalier Violet <chevalier.violet@gmail.com> wrote:
I mean, I can manually ask Linux to use the CA that I set, so I guess that's all right.
For the iPhone, are there any instructions for how to make the proper certs via make client, etc. in the /etc/freeradius/certs directory? I thought the .p12 certs were made for mobile devices like the iPhone. If you're telling me to run some kind of mobileconfig command, I'm not sure what it is.
The point is you have to create a "mobileconfig" file for OSX. That file contains information about the certificate, SSID, EAP method to use, etc. Right now, there aren't really many tools to create such files. See http://802.1x-config.org/ for one example. Alan DeKok.
Thanks all--I have tried the 802.1x-config site. From what I'm seeing, with just a basic EAP-TLS config, it says it's not compatible with iOS. Correct me if I'm wrong? And thanks--to know that there's not many ways to make a mobileconfig is good to know! On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 25, 2017, at 4:31 PM, Chevalier Violet <chevalier.violet@gmail.com> wrote:
I mean, I can manually ask Linux to use the CA that I set, so I guess that's all right.
For the iPhone, are there any instructions for how to make the proper
certs
via make client, etc. in the /etc/freeradius/certs directory? I thought the .p12 certs were made for mobile devices like the iPhone. If you're telling me to run some kind of mobileconfig command, I'm not sure what it is.
The point is you have to create a "mobileconfig" file for OSX. That file contains information about the certificate, SSID, EAP method to use, etc.
Right now, there aren't really many tools to create such files. See http://802.1x-config.org/ for one example.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- "Do not speak, unless it improves on silence." -- Buddha
On Sep 25, 2017, at 5:20 PM, Chevalier Violet <chevalier.violet@gmail.com> wrote:
Thanks all--I have tried the 802.1x-config site. From what I'm seeing, with just a basic EAP-TLS config, it says it's not compatible with iOS. Correct me if I'm wrong?
iOS does support EAP-TLS. Alan DeKok.
Apple provide a tool to make mobileconfig profiles alan On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com> wrote:
Thanks all--I have tried the 802.1x-config site. From what I'm seeing, with just a basic EAP-TLS config, it says it's not compatible with iOS. Correct me if I'm wrong?
And thanks--to know that there's not many ways to make a mobileconfig is good to know!
On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 25, 2017, at 4:31 PM, Chevalier Violet < chevalier.violet@gmail.com> wrote:
I mean, I can manually ask Linux to use the CA that I set, so I guess that's all right.
For the iPhone, are there any instructions for how to make the proper
certs
via make client, etc. in the /etc/freeradius/certs directory? I thought the .p12 certs were made for mobile devices like the iPhone. If you're telling me to run some kind of mobileconfig command, I'm not sure what it is.
The point is you have to create a "mobileconfig" file for OSX. That file contains information about the certificate, SSID, EAP method to use, etc.
Right now, there aren't really many tools to create such files. See http://802.1x-config.org/ for one example.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- "Do not speak, unless it improves on silence." -- Buddha - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi Alans, Alan D: yes I know iOS supports EAP-TLS, I'm just saying that https://802.1x-config.org seems to not support it, or at least according to this screen (attached, but not sure that will come through) that I got to when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I can't make a .mobileconfig file using that suggested site, at least not for EAP-TLS for iOS. But please do correct me if I'm wrong! Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it can only be downloaded with a mac. I guess that could be arranged but boy if either of you have a better idea, that would be great! I added the ca.pem cert to my Linux connection--I hope that means that rogue APs can't connect with me anymore! Thanks--if y'all have insights, that would be great. On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> wrote: > Apple provide a tool to make mobileconfig profiles > > alan > > On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com> > wrote: > > > Thanks all--I have tried the 802.1x-config site. From what I'm seeing, > with > > just a basic EAP-TLS config, it says it's not compatible with iOS. > Correct > > me if I'm wrong? > > > > And thanks--to know that there's not many ways to make a mobileconfig is > > good to know! > > > > On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com> > > wrote: > > > > > On Sep 25, 2017, at 4:31 PM, Chevalier Violet < > > chevalier.violet@gmail.com> > > > wrote: > > > > > > > > I mean, I can manually ask Linux to use the CA that I set, so I guess > > > > that's all right. > > > > > > > > For the iPhone, are there any instructions for how to make the proper > > > certs > > > > via make client, etc. in the /etc/freeradius/certs directory? I > thought > > > the > > > > .p12 certs were made for mobile devices like the iPhone. If you're > > > telling > > > > me to run some kind of mobileconfig command, I'm not sure what it is. > > > > > > The point is you have to create a "mobileconfig" file for OSX. That > > > file contains information about the certificate, SSID, EAP method to > use, > > > etc. > > > > > > Right now, there aren't really many tools to create such files. See > > > http://802.1x-config.org/ for one example. > > > > > > Alan DeKok. > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > > list/users.html > > > > > > > > > > > -- > > "Do not speak, unless it improves on silence." -- Buddha > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > -- "Do not speak, unless it improves on silence." -- Buddha
Hi, > Alan D: yes I know iOS supports EAP-TLS, I'm just saying that > https://802.1x-config.org seems to not support it, or at least according to > this screen (attached, but not sure that will come through) that I got to > when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I > can't make a .mobileconfig file using that suggested site, at least not for > EAP-TLS for iOS. But please do correct me if I'm wrong! Yes that's correct. For proper operation, the mobileconfig profile needs to embed the client (p12) cert along with all other Wi-Fi settings (such as the CA cert). Since 802.1x-config.org does not want your private information (such as the private key to the client cert), it's not possible to deliver a good profile. > Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it > can only be downloaded with a mac. I guess that could be arranged but boy > if either of you have a better idea, that would be great! > > I added the ca.pem cert to my Linux connection--I hope that means that > rogue APs can't connect with me anymore! If done right, that's correct. Note that 802.1x-config.org does support EAP_TLS for Linux, and it pushes all the knobs so that the resulting config /is/ correct. Greetings, Stefan > Thanks--if y'all have insights, that would be great. > > On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> wrote: > >> Apple provide a tool to make mobileconfig profiles >> >> alan >> >> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com> >> wrote: >> >>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing, >> with >>> just a basic EAP-TLS config, it says it's not compatible with iOS. >> Correct >>> me if I'm wrong? >>> >>> And thanks--to know that there's not many ways to make a mobileconfig is >>> good to know! >>> >>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com> >>> wrote: >>> >>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet < >>> chevalier.violet@gmail.com> >>>> wrote: >>>>> >>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess >>>>> that's all right. >>>>> >>>>> For the iPhone, are there any instructions for how to make the proper >>>> certs >>>>> via make client, etc. in the /etc/freeradius/certs directory? I >> thought >>>> the >>>>> .p12 certs were made for mobile devices like the iPhone. If you're >>>> telling >>>>> me to run some kind of mobileconfig command, I'm not sure what it is. >>>> >>>> The point is you have to create a "mobileconfig" file for OSX. That >>>> file contains information about the certificate, SSID, EAP method to >> use, >>>> etc. >>>> >>>> Right now, there aren't really many tools to create such files. See >>>> http://802.1x-config.org/ for one example. >>>> >>>> Alan DeKok. >>>> >>>> >>>> - >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>> list/users.html >>>> >>> >>> >>> >>> -- >>> "Do not speak, unless it improves on silence." -- Buddha >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>> list/users.html >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html >> > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
D'accord, merci Stefan! I found this explanation for how to create the file (yay!). Any tips on how to embed the files? It's giving instructions on how to sign, but not entirely sure how to embed the other file. http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html And my iPhone is still not recognizing either a signed or unsigned version of that file. If you have further insights, that would be great! But I get that essentially this is just poor implementation by Apple folks. On Tue, Sep 26, 2017 at 5:39 AM, Stefan Winter <stefan.winter@restena.lu> wrote: > Hi, > > > Alan D: yes I know iOS supports EAP-TLS, I'm just saying that > > https://802.1x-config.org seems to not support it, or at least > according to > > this screen (attached, but not sure that will come through) that I got to > > when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I > > can't make a .mobileconfig file using that suggested site, at least not > for > > EAP-TLS for iOS. But please do correct me if I'm wrong! > > Yes that's correct. For proper operation, the mobileconfig profile needs > to embed the client (p12) cert along with all other Wi-Fi settings (such > as the CA cert). > > Since 802.1x-config.org does not want your private information (such as > the private key to the client cert), it's not possible to deliver a good > profile. > > > Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it > > can only be downloaded with a mac. I guess that could be arranged but boy > > if either of you have a better idea, that would be great! > > > > I added the ca.pem cert to my Linux connection--I hope that means that > > rogue APs can't connect with me anymore! > > If done right, that's correct. Note that 802.1x-config.org does support > EAP_TLS for Linux, and it pushes all the knobs so that the resulting > config /is/ correct. > > Greetings, > > Stefan > > > Thanks--if y'all have insights, that would be great. > > > > On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> > wrote: > > > >> Apple provide a tool to make mobileconfig profiles > >> > >> alan > >> > >> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com > > > >> wrote: > >> > >>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing, > >> with > >>> just a basic EAP-TLS config, it says it's not compatible with iOS. > >> Correct > >>> me if I'm wrong? > >>> > >>> And thanks--to know that there's not many ways to make a mobileconfig > is > >>> good to know! > >>> > >>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com > > > >>> wrote: > >>> > >>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet < > >>> chevalier.violet@gmail.com> > >>>> wrote: > >>>>> > >>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess > >>>>> that's all right. > >>>>> > >>>>> For the iPhone, are there any instructions for how to make the proper > >>>> certs > >>>>> via make client, etc. in the /etc/freeradius/certs directory? I > >> thought > >>>> the > >>>>> .p12 certs were made for mobile devices like the iPhone. If you're > >>>> telling > >>>>> me to run some kind of mobileconfig command, I'm not sure what it is. > >>>> > >>>> The point is you have to create a "mobileconfig" file for OSX. That > >>>> file contains information about the certificate, SSID, EAP method to > >> use, > >>>> etc. > >>>> > >>>> Right now, there aren't really many tools to create such files. See > >>>> http://802.1x-config.org/ for one example. > >>>> > >>>> Alan DeKok. > >>>> > >>>> > >>>> - > >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ > >>>> list/users.html > >>>> > >>> > >>> > >>> > >>> -- > >>> "Do not speak, unless it improves on silence." -- Buddha > >>> - > >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ > >>> list/users.html > >> - > >> List info/subscribe/unsubscribe? See http://www.freeradius.org/ > >> list/users.html > >> > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > list/users.html > > > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 2, avenue de l'Université > L-4365 Esch-sur-Alzette > > Tel: +352 424409 1 > Fax: +352 422473 > > PGP key updated to 4096 Bit RSA - I will encrypt all mails if the > recipient's key is known to me > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 > -- "Do not speak, unless it improves on silence." -- Buddha
Hi, attached is an example of an embedded EAP-TLS client credential. I obviously cut out most of the actual file but it gives you an idea of the structure. Stefan On 26.09.17 17:23, Chevalier Violet wrote: > D'accord, merci Stefan! > > I found this explanation for how to create the file (yay!). Any tips on how > to embed the files? It's giving instructions on how to sign, but not > entirely sure how to embed the other file. > > http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html > > And my iPhone is still not recognizing either a signed or unsigned version > of that file. If you have further insights, that would be great! But I get > that essentially this is just poor implementation by Apple folks. > > On Tue, Sep 26, 2017 at 5:39 AM, Stefan Winter <stefan.winter@restena.lu> > wrote: > >> Hi, >> >>> Alan D: yes I know iOS supports EAP-TLS, I'm just saying that >>> https://802.1x-config.org seems to not support it, or at least >> according to >>> this screen (attached, but not sure that will come through) that I got to >>> when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I >>> can't make a .mobileconfig file using that suggested site, at least not >> for >>> EAP-TLS for iOS. But please do correct me if I'm wrong! >> Yes that's correct. For proper operation, the mobileconfig profile needs >> to embed the client (p12) cert along with all other Wi-Fi settings (such >> as the CA cert). >> >> Since 802.1x-config.org does not want your private information (such as >> the private key to the client cert), it's not possible to deliver a good >> profile. >> >>> Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it >>> can only be downloaded with a mac. I guess that could be arranged but boy >>> if either of you have a better idea, that would be great! >>> >>> I added the ca.pem cert to my Linux connection--I hope that means that >>> rogue APs can't connect with me anymore! >> If done right, that's correct. Note that 802.1x-config.org does support >> EAP_TLS for Linux, and it pushes all the knobs so that the resulting >> config /is/ correct. >> >> Greetings, >> >> Stefan >> >>> Thanks--if y'all have insights, that would be great. >>> >>> On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey@gmail.com> >> wrote: >>>> Apple provide a tool to make mobileconfig profiles >>>> >>>> alan >>>> >>>> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet@gmail.com >>>> wrote: >>>> >>>>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing, >>>> with >>>>> just a basic EAP-TLS config, it says it's not compatible with iOS. >>>> Correct >>>>> me if I'm wrong? >>>>> >>>>> And thanks--to know that there's not many ways to make a mobileconfig >> is >>>>> good to know! >>>>> >>>>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland@deployingradius.com >>>>> wrote: >>>>> >>>>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet < >>>>> chevalier.violet@gmail.com> >>>>>> wrote: >>>>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess >>>>>>> that's all right. >>>>>>> >>>>>>> For the iPhone, are there any instructions for how to make the proper >>>>>> certs >>>>>>> via make client, etc. in the /etc/freeradius/certs directory? I >>>> thought >>>>>> the >>>>>>> .p12 certs were made for mobile devices like the iPhone. If you're >>>>>> telling >>>>>>> me to run some kind of mobileconfig command, I'm not sure what it is. >>>>>> The point is you have to create a "mobileconfig" file for OSX. That >>>>>> file contains information about the certificate, SSID, EAP method to >>>> use, >>>>>> etc. >>>>>> >>>>>> Right now, there aren't really many tools to create such files. See >>>>>> http://802.1x-config.org/ for one example. >>>>>> >>>>>> Alan DeKok. >>>>>> >>>>>> >>>>>> - >>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>>>> list/users.html >>>>>> >>>>> >>>>> >>>>> -- >>>>> "Do not speak, unless it improves on silence." -- Buddha >>>>> - >>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>>> list/users.html >>>> - >>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >>>> list/users.html >>>> >>> >>> >>> >>> >>> - >>> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html >> >> -- >> Stefan WINTER >> Ingenieur de Recherche >> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et >> de la Recherche >> 2, avenue de l'Université >> L-4365 Esch-sur-Alzette >> >> Tel: +352 424409 1 >> Fax: +352 422473 >> >> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the >> recipient's key is known to me >> >> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 >> > >
On Sep 27, 2017, at 7:54 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
attached is an example of an embedded EAP-TLS client credential. I obviously cut out most of the actual file but it gives you an idea of the structure.
The list strips attachments. Too many people were posting PNG screenshots of terminal windows with debug output. Alan DeKok.
Hi, okay, sent it off-list to the OP. Stefan Am 27.09.2017 um 14:16 schrieb Alan DeKok:
On Sep 27, 2017, at 7:54 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
attached is an example of an embedded EAP-TLS client credential. I obviously cut out most of the actual file but it gives you an idea of the structure.
The list strips attachments. Too many people were posting PNG screenshots of terminal windows with debug output.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (4)
-
Alan Buxey -
Alan DeKok -
Chevalier Violet -
Stefan Winter