Differentiate between BYOD and corporate devices - looking for some input

Matthew Newton mcn4 at leicester.ac.uk
Fri Jul 1 16:59:27 CEST 2016

On Fri, Jul 01, 2016 at 04:46:50PM +0200, Mathieu Simon (Lists) wrote:
> Do some of you use different EAP methods like i.e. EAP-TLS for
> corporate devices while a password-based method is used for
> personal devices. Ideally if a certificate was given out for
> each corporate device and user as well as per BYOD device, well
> then it would be easy to identify things...


> But that's requiring a whole CA and issuing infrastructure while
> trying to keep onboarding personal devices as simple as possible
> for users.


> I don't have a urgent need for it right now but I have tried to
> get an idea on that topic yet haven't found a satisfying path
> (and without working every day with FreeRADIUS that is).  Maybe
> someone is willing to share his or her experiences?

Currently, EAP-TLS for laptops on the managed service, PEAP/TTLS
MSCHAP stuff or user devices.

They currently connect to different SSIDs, which also helps - but
that wouldn't be hard to change.


User-Name matches host/..., do EAP-TLS and make sure we issued the

Otherwise, if User-Name matches /@/, treat as user.


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list