Differentiate between BYOD and corporate devices - looking for some input
Matthew Newton
mcn4 at leicester.ac.uk
Fri Jul 1 16:59:27 CEST 2016
On Fri, Jul 01, 2016 at 04:46:50PM +0200, Mathieu Simon (Lists) wrote:
> Do some of you use different EAP methods like i.e. EAP-TLS for
> corporate devices while a password-based method is used for
> personal devices. Ideally if a certificate was given out for
> each corporate device and user as well as per BYOD device, well
> then it would be easy to identify things...
Yes.
> But that's requiring a whole CA and issuing infrastructure while
> trying to keep onboarding personal devices as simple as possible
> for users.
Yes.
> I don't have a urgent need for it right now but I have tried to
> get an idea on that topic yet haven't found a satisfying path
> (and without working every day with FreeRADIUS that is). Maybe
> someone is willing to share his or her experiences?
Currently, EAP-TLS for laptops on the managed service, PEAP/TTLS
MSCHAP stuff or user devices.
They currently connect to different SSIDs, which also helps - but
that wouldn't be hard to change.
e.g.
User-Name matches host/..., do EAP-TLS and make sure we issued the
cert.
Otherwise, if User-Name matches /@/, treat as user.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list