EAP-TLS working but asking for cert

Stefan Winter stefan.winter at restena.lu
Tue Sep 26 11:39:17 CEST 2017


> Alan D: yes I know iOS supports EAP-TLS, I'm just saying that
> https://802.1x-config.org seems to not support it, or at least according to
> this screen (attached, but not sure that will come through) that I got to
> when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I
> can't make a .mobileconfig file using that suggested site, at least not for
> EAP-TLS for iOS. But please do correct me if I'm wrong!

Yes that's correct. For proper operation, the mobileconfig profile needs
to embed the client (p12) cert along with all other Wi-Fi settings (such
as the CA cert).

Since 802.1x-config.org does not want your private information (such as
the private key to the client cert), it's not possible to deliver a good

> Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it
> can only be downloaded with a mac. I guess that could be arranged but boy
> if either of you have a better idea, that would be great!
> I added the ca.pem cert to my Linux connection--I hope that means that
> rogue APs can't connect with me anymore!

If done right, that's correct. Note that 802.1x-config.org does support
EAP_TLS for Linux, and it pushes all the knobs so that the resulting
config /is/ correct.



> Thanks--if y'all have insights, that would be great.
> On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>> Apple provide a tool to make mobileconfig profiles
>> alan
>> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet at gmail.com>
>> wrote:
>>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing,
>> with
>>> just a basic EAP-TLS config, it says it's not compatible with iOS.
>> Correct
>>> me if I'm wrong?
>>> And thanks--to know that there's not many ways to make a mobileconfig is
>>> good to know!
>>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland at deployingradius.com>
>>> wrote:
>>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet <
>>> chevalier.violet at gmail.com>
>>>> wrote:
>>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess
>>>>> that's all right.
>>>>> For the iPhone, are there any instructions for how to make the proper
>>>> certs
>>>>> via make client, etc. in the /etc/freeradius/certs directory? I
>> thought
>>>> the
>>>>> .p12 certs were made for mobile devices like the iPhone. If you're
>>>> telling
>>>>> me to run some kind of mobileconfig command, I'm not sure what it is.
>>>>   The point is you have to create a "mobileconfig" file for OSX.  That
>>>> file contains information about the certificate, SSID, EAP method to
>> use,
>>>> etc.
>>>>   Right now, there aren't really many tools to create such files.  See
>>>> http://802.1x-config.org/ for one example.
>>>>   Alan DeKok.
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>> --
>>> "Do not speak, unless it improves on silence."  -- Buddha
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170926/ddf14fa2/attachment.sig>

More information about the Freeradius-Users mailing list