EAP-TLS: Strategies for getting the right certificate to the right user

Alan DeKok aland at deployingradius.com
Mon Sep 11 16:28:42 CEST 2017

On Sep 11, 2017, at 10:22 AM, Chevalier Violet <chevalier.violet at gmail.com> wrote:
> EAP-TLS: Strategies for getting the right certificate to the right user. It
> needs to be relatively automated. I do have users coming by with BYOD
> devices, e.g. iPhones (omg they're super finicky about the freeradius setup
> but that's another story!), frequently when I'm not around to set them up.

  You need an automated system.  See http://802.1x-config.org for an example/

  The sad truth is that many systems (cough ANDROID) don't have provisions for automatically provisioning WiFi credentials.  Which pretty much means you need to do it manually.q

> Users are starting with no internet access.
> I was thinking maybe of the following:
> 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
> for guests that would change every so often. Maybe let them use the
> internet either i) for a few minutes at a time or ii) only to access a page
> on the internal network from which they could download the guest
> certificate that would allow them to connect via EAP-TLS? 3) the certs
> would expire after a few days.

  That may work...

> I have been struggling to get even my own iPhone to have the proper cert!

  What's going wrong?

> On the bright side, my two linux machines are now working with EAP-TLS so
> there's hope for me! I wish I could just put the certs on a USB key but
> that doesn't work for phones. And it's a bunch of Linux machines, no
> Windows or Macs around. Excuse me if this is a n00b question.

  It's everyone's question.  If only there was a standard for this, everyone's lives would be easier.

> https://github.com/FreeRADIUS/freeradius-server/issues/2045#
> issuecomment-324641610
> Arr2036 mentions that the hot spot 2.0 standards set out how this could
> work, with auto-renewing certs and the whole 9 yards. I wasn't able to find
> how to make that work for linux, for instance with freeradius. Thanks!

  You'll need an AP capable of Hotspot 2.0, and a captive portal capable of hotspot 2.0.  That's the hard part.  The FreeRADIUS portion is easy.

  Alan DeKok.

More information about the Freeradius-Users mailing list