Hi everyone! We're trying to update our freeradius so that it will work with Android 11+ clients without using the "do not validate" option. What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android. Freeradius is working fine with LDAP. Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure. Thanks! -- This message originated from Bartholomew Consolidated School Corporation, Columbus, Indiana. The message and any attachments may be confidential or privileged and are intended only for the individual or entity identified above as the addressee. This email should not be disseminated, distributed, or copied. If you are not the addressee, or if this message has been addressed to you in error, you are not authorized to read, copy or distribute this message or any attachments; and we ask that you please delete it and notify the sender by return e-mail. Delivery of this message and any attachments to any person other than the intended recipient(s) is not intended in any way to waive confidentiality or a privilege. All personal messages express views only of the sender, which are not to be attributed to Bartholomew Consolidated School Corporation, and may not be copied or distributed without this statement.
You need to generate a CSR in FreeRadius and get a cert signed by a CA. You then need to only modify your eap module config file to point to the new cert files. The cert needs to be set with multiple aliases if you have multiple FreeRadius servers. We have two and the cert is good for radius1.XXX.com and radius2.xxx.com with the main cert FQDN, the domain you enter in Android, of the cert as auth.xxx.com So our users type in auth.xxx.com for domain and their user/pass and get auth'd and on the network. We use PEAP where FreeRadius queries our LDAP server for the users NT/LM hashes and auths....our LDAP is NOT the one deciding yes/no for authentication....that's FreeRadius's job....not LDAP's. We ran into this back when Android starting enforcing the cert requirement on the Dec 2020 update patch. I'm not in any way connected to the FreeRadius group here though so YMMV depending on version and other things. Just trying to be helpful and help point you in the right direction. We have had this config running since March without any issues to report. Good Luck! Adam -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+ataylor=ulm.edu@lists.freeradius.org> On Behalf Of Chris Bradley Sent: Thursday, December 2, 2021 3:11 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius, BYOD and certs ULM CAUTION! This email was sent from an external sender. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi everyone! We're trying to update our freeradius so that it will work with Android 11+ clients without using the "do not validate" option. What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android. Freeradius is working fine with LDAP. Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure. Thanks! -- This message originated from Bartholomew Consolidated School Corporation, Columbus, Indiana. The message and any attachments may be confidential or privileged and are intended only for the individual or entity identified above as the addressee. This email should not be disseminated, distributed, or copied. If you are not the addressee, or if this message has been addressed to you in error, you are not authorized to read, copy or distribute this message or any attachments; and we ask that you please delete it and notify the sender by return e-mail. Delivery of this message and any attachments to any person other than the intended recipient(s) is not intended in any way to waive confidentiality or a privilege. All personal messages express views only of the sender, which are not to be attributed to Bartholomew Consolidated School Corporation, and may not be copied or distributed without this statement. - List info/subscribe/unsubscribe? See https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Cataylor%40ulm.edu%7Cafdc0ed28a8a479ce46808d9b5d885e3%7C90963b0cb03044fba95a9e359af4f668%7C1%7C0%7C637740763833658757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rAHFA6byMXdJqhcN3oJg1IT3vbFwU2o3HNSZ8UYYjeU%3D&reserved=0
This doesn't address the, "How do you make this work..." aspect - but if you haven't, reading this might be helpful or scary, depending... (I guess how scary it is, depends on your security stance.) https://networkradius.com/articles/2021/08/04/wifi-spoofing.html On Thu, Dec 2, 2021 at 1:39 PM Adam Taylor via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
You need to generate a CSR in FreeRadius and get a cert signed by a CA.
You then need to only modify your eap module config file to point to the new cert files.
The cert needs to be set with multiple aliases if you have multiple FreeRadius servers. We have two and the cert is good for radius1.XXX.com and radius2.xxx.com with the main cert FQDN, the domain you enter in Android, of the cert as auth.xxx.com
So our users type in auth.xxx.com for domain and their user/pass and get auth'd and on the network. We use PEAP where FreeRadius queries our LDAP server for the users NT/LM hashes and auths....our LDAP is NOT the one deciding yes/no for authentication....that's FreeRadius's job....not LDAP's.
We ran into this back when Android starting enforcing the cert requirement on the Dec 2020 update patch. I'm not in any way connected to the FreeRadius group here though so YMMV depending on version and other things. Just trying to be helpful and help point you in the right direction. We have had this config running since March without any issues to report. Good Luck!
Adam
-----Original Message----- From: Freeradius-Users <freeradius-users-bounces+ataylor= ulm.edu@lists.freeradius.org> On Behalf Of Chris Bradley Sent: Thursday, December 2, 2021 3:11 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius, BYOD and certs
ULM CAUTION! This email was sent from an external sender. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi everyone!
We're trying to update our freeradius so that it will work with Android 11+ clients without using the "do not validate" option.
What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android.
Freeradius is working fine with LDAP.
Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure.
Thanks!
--
This message originated from Bartholomew Consolidated School Corporation, Columbus, Indiana.
The message and any attachments may be confidential or privileged and are intended only for the individual or entity identified above as the addressee. This email should not be disseminated, distributed, or copied. If you are not the addressee, or if this message has been addressed to you in error, you are not authorized to read, copy or distribute this message or any attachments; and we ask that you please delete it and notify the sender by return e-mail. Delivery of this message and any attachments to any person other than the intended recipient(s) is not intended in any way to waive confidentiality or a privilege. All personal messages express views only of the sender, which are not to be attributed to Bartholomew Consolidated School Corporation, and may not be copied or distributed without this statement.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc@bcsc.k12.in.us> wrote:
What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android.
That *might* work. However... many systems have known root CAs enabled for web surfing, but disabled for EAP. Which means the only way to get WiFi working is to ??? somehow enable / add a root CA. I've been arguing this point with the various standards bodies for a while. Apparently the people who interact with customers are few and far between there. So things hated by real people just aren't a priority to fix in the standards. :(
Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
I've bene trying to do the same thing for a while. it's hard. The simple answer is things like Eduroam CAT: https://cat.eduroam.org/ It get you a simple tool to configure end-user machines. But it means you should be part of Eduroam. Which you might want to do anyways...
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure.
"Here be dragons" :( OS / Phone vendors randomly change requirements, UI, processes, work flows, etc. for WiFi configuration. It's a huge problem. Alan DeKok.
Not particularly helpful today, but in the WPA3 standard there is an /optional/ standard called DPP or EasyConnect. It was born from the old WIPS protocol. DPP is meant as a general onboarding standard primarily focused for IoT devices, but nothing explicitly prevents it from being used more generally. Basically, it creates an out-of-band connection (think Bluetooth) to a configuration node which will push a wireless config (including certs). At this point I’m not sure anyone actually supports it, but at least it’s an adopted standard (even though it’s an optional one). Maybe one day these frustrations will be behind us On Thu, Dec 2, 2021 at 6:56 PM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc@bcsc.k12.in.us> wrote:
What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android.
That *might* work. However... many systems have known root CAs enabled for web surfing, but disabled for EAP. Which means the only way to get WiFi working is to ??? somehow enable / add a root CA.
I've been arguing this point with the various standards bodies for a while. Apparently the people who interact with customers are few and far between there. So things hated by real people just aren't a priority to fix in the standards. :(
Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP *without* them having to download a certificate from somewhere before attempting the connection to freeradius.
I've bene trying to do the same thing for a while. it's hard.
The simple answer is things like Eduroam CAT: https://cat.eduroam.org/
It get you a simple tool to configure end-user machines. But it means you should be part of Eduroam. Which you might want to do anyways...
From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure.
"Here be dragons" :(
OS / Phone vendors randomly change requirements, UI, processes, work flows, etc. for WiFi configuration. It's a huge problem.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog (He/Him/His) Network Architect munroe@lehigh.edu
participants (5)
-
Adam Taylor -
Alan DeKok -
Chris Bradley -
Greg Sloop <gregs@sloop.net> -
Munroe Sollog