EAP-TLS: Strategies for getting the right certificate to the right user

Chevalier Violet chevalier.violet at gmail.com
Mon Sep 11 16:22:12 CEST 2017

I've been googling around and kind of surprised to not be seeing a ton of
resources about this. Maybe you all can help!

EAP-TLS: Strategies for getting the right certificate to the right user. It
needs to be relatively automated. I do have users coming by with BYOD
devices, e.g. iPhones (omg they're super finicky about the freeradius setup
but that's another story!), frequently when I'm not around to set them up.

Users are starting with no internet access.

I was thinking maybe of the following:

1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
for guests that would change every so often. Maybe let them use the
internet either i) for a few minutes at a time or ii) only to access a page
on the internal network from which they could download the guest
certificate that would allow them to connect via EAP-TLS? 3) the certs
would expire after a few days.

I have been struggling to get even my own iPhone to have the proper cert!
On the bright side, my two linux machines are now working with EAP-TLS so
there's hope for me! I wish I could just put the certs on a USB key but
that doesn't work for phones. And it's a bunch of Linux machines, no
Windows or Macs around. Excuse me if this is a n00b question.

Thanks everyone!

PS At this link:


Arr2036 mentions that the hot spot 2.0 standards set out how this could
work, with auto-renewing certs and the whole 9 yards. I wasn't able to find
how to make that work for linux, for instance with freeradius. Thanks!

More information about the Freeradius-Users mailing list