EAP-TLS: Strategies for getting the right certificate to the right user

Alan Buxey alan.buxey at gmail.com
Mon Sep 11 17:22:21 CEST 2017

commercial solutions abound - cloudpath ES, Aruba Clearpass, etc etc.

if you have a deployment tool (to ensure IOS/OSX devices are locked
down etc then you can roll our EAP-TLS with that - likewise Windows
deployment tools for MS product line - Chromebooks via Googles MPM etc
- Android is the curve ball.

if you have a totally independent BYOD (which you dont because you
have to set these clients up ;-) ) then things become more interesting
(and its difficult to have a half-managed BYOD solution as most of the
management platforms are a 'take all of our policies' or 'our policy
overrides everything else'
or you cant have 2 policies).

captive portal (well, walled garden really) allowing only access to
the configuration tool is one way.... that could be open SSID, or
EAP-PEAP/TTLS based with
a public cert and a known local user/pass that is known - after all,
this is only getting you onto the walled garden.....so long as there
is then some other
enrollment process to get you a cert.  have written little utils that
people log into and then receive a freshly minted cert - open source
solutions exist
but , to be honest, if you cannot afford the big commercial players
than something like http://802.1x-config.org/ (same underlying tool as
the free-for-eduroam-users)
will be of use...


On 11 September 2017 at 16:14, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
> Which is why we use the Cloudpath ES server to configure eap-peap and
>  eap-tls. Using the ES server for OCSP allows us to manage certs as well.
> Open wifi network with dnsmasq only get you to a limited set of URLs.
> Workflow capabilities allow you to tailor what a user sees in terms of
> config options.
> A
> On 11 September 2017 at 15:33, Matthew Newton <mcn at freeradius.org> wrote:
>> On Mon, 2017-09-11 at 10:22 -0400, Chevalier Violet wrote:
>> > EAP-TLS: Strategies for getting the right certificate to the right
>> > user. It
>> > needs to be relatively automated.
>> > Users are starting with no internet access.
>> >
>> > I was thinking maybe of the following:
>> >
>> > 1) Use some kind of TTLS-MSCHAPv2 thing with a standard user &
>> > password
>> One solution is for an open network with a captive portal (no Internet
>> access), people log in (https, username, password) there, which
>> generates an installer/config, used to the configure the device.
>> But yes, enrolling on EAP-TLS can be tricky without other
>> certificate/device management systems.
>> --
>> Matthew
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list