Differentiate between BYOD and corporate devices - looking for some input

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Sat Jul 2 18:24:31 CEST 2016

Hi Matthew

Am 01.07.2016 um 16:59 schrieb Matthew Newton:
>> [...] Ideally if a certificate was given out for
>> each corporate device and user as well as per BYOD device, well
>> then it would be easy to identify things...
> Yes.
Alas, since properly building a PK infrastructure requires doing lots of
things properly from start on SME IT I've met so far try to avoid doing
that as much as possible.

>> But that's requiring a whole CA and issuing infrastructure while
>> trying to keep onboarding personal devices as simple as possible
>> for users.
> Yes.
For which I haven't yet found the magic bullet. I agree though that at
least on the Windows side of clients one could make use of
auto-enrollment through GPO and push config profiles through GPO (the
later is what I'm doing).

But I have many devices not being used for a couple of months where they
couldn't renew if the client cert in timely manner automatically. (And
if Windows would even present itself with an expired certificate since
it already is quite picky... is another topic.)


> Currently, EAP-TLS for laptops on the managed service, PEAP/TTLS
> MSCHAP stuff or user devices.
Ah, ok so at least I wasn't that far off with my guess.
Thanks for sharing this.

> They currently connect to different SSIDs, which also helps - but
> that wouldn't be hard to change.
So I guess that on the corporate device SSID you'd only accept EAP-TLS
whereas on the other it's only PEAP/TTLS MSCHAP alikes minus EAP-TLS?

I'd imagine this by either 2 virtual server instances or an unlang
statement checking the SSID the request comes from - right?
> e.g.
> User-Name matches host/..., do EAP-TLS and make sure we issued the
> cert.
OK, that's a point. I imagine that at some point one really has to think
about EAP-TLS in an environment with company-owned devices.

I absolutely see the point of EAP-TLS, if properly implemented, it's
likely the most robust and secure method of any EAP methods.

> Otherwise, if User-Name matches /@/, treat as user.
I get the idea.

After reading, all points towards EAP-TLS in the end + a couple of
additions to check things to make up the whole concept.

Again, thanks.

-- Mathieu

More information about the Freeradius-Users mailing list