EAP-TLS working but asking for cert

Stefan Winter stefan.winter at restena.lu
Wed Sep 27 13:54:35 CEST 2017 

Hi,

attached is an example of an embedded EAP-TLS client credential. I
obviously cut out most of the actual file but it gives you an idea of
the structure.

Stefan

On 26.09.17 17:23, Chevalier Violet wrote:
> D'accord, merci Stefan!
>
> I found this explanation for how to create the file (yay!). Any tips on how
> to embed the files? It's giving instructions on how to sign, but not
> entirely sure how to embed the other file.
>
> http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
>
> And my iPhone is still not recognizing either a signed or unsigned version
> of that file. If you have further insights, that would be great! But I get
> that essentially this is just poor implementation by Apple folks.
>
> On Tue, Sep 26, 2017 at 5:39 AM, Stefan Winter <stefan.winter at restena.lu>
> wrote:
>
>> Hi,
>>
>>> Alan D: yes I know iOS supports EAP-TLS, I'm just saying that
>>> https://802.1x-config.org seems to not support it, or at least
>> according to
>>> this screen (attached, but not sure that will come through) that I got to
>>> when I tried to export a mobileconfig for iOS. So unless I'm mistaken, I
>>> can't make a .mobileconfig file using that suggested site, at least not
>> for
>>> EAP-TLS for iOS. But please do correct me if I'm wrong!
>> Yes that's correct. For proper operation, the mobileconfig profile needs
>> to embed the client (p12) cert along with all other Wi-Fi settings (such
>> as the CA cert).
>>
>> Since 802.1x-config.org does not want your private information (such as
>> the private key to the client cert), it's not possible to deliver a good
>> profile.
>>
>>> Alad B: Are you referring to the Apple Configurator 2? Unfortunately, it
>>> can only be downloaded with a mac. I guess that could be arranged but boy
>>> if either of you have a better idea, that would be great!
>>>
>>> I added the ca.pem cert to my Linux connection--I hope that means that
>>> rogue APs can't connect with me anymore!
>> If done right, that's correct. Note that 802.1x-config.org does support
>> EAP_TLS for Linux, and it pushes all the knobs so that the resulting
>> config /is/ correct.
>>
>> Greetings,
>>
>> Stefan
>>
>>> Thanks--if y'all have insights, that would be great.
>>>
>>> On Mon, Sep 25, 2017 at 5:58 PM, Alan Buxey <alan.buxey at gmail.com>
>> wrote:
>>>> Apple provide a tool to make mobileconfig profiles
>>>>
>>>> alan
>>>>
>>>> On 25 Sep 2017 10:21 pm, "Chevalier Violet" <chevalier.violet at gmail.com
>>>> wrote:
>>>>
>>>>> Thanks all--I have tried the 802.1x-config site. From what I'm seeing,
>>>> with
>>>>> just a basic EAP-TLS config, it says it's not compatible with iOS.
>>>> Correct
>>>>> me if I'm wrong?
>>>>>
>>>>> And thanks--to know that there's not many ways to make a mobileconfig
>> is
>>>>> good to know!
>>>>>
>>>>> On Mon, Sep 25, 2017 at 4:40 PM, Alan DeKok <aland at deployingradius.com
>>>>> wrote:
>>>>>
>>>>>> On Sep 25, 2017, at 4:31 PM, Chevalier Violet <
>>>>> chevalier.violet at gmail.com>
>>>>>> wrote:
>>>>>>> I mean, I can manually ask Linux to use the CA that I set, so I guess
>>>>>>> that's all right.
>>>>>>>
>>>>>>> For the iPhone, are there any instructions for how to make the proper
>>>>>> certs
>>>>>>> via make client, etc. in the /etc/freeradius/certs directory? I
>>>> thought
>>>>>> the
>>>>>>> .p12 certs were made for mobile devices like the iPhone. If you're
>>>>>> telling
>>>>>>> me to run some kind of mobileconfig command, I'm not sure what it is.
>>>>>>   The point is you have to create a "mobileconfig" file for OSX.  That
>>>>>> file contains information about the certificate, SSID, EAP method to
>>>> use,
>>>>>> etc.
>>>>>>
>>>>>>   Right now, there aren't really many tools to create such files.  See
>>>>>> http://802.1x-config.org/ for one example.
>>>>>>
>>>>>>   Alan DeKok.
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>> list/users.html
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> "Do not speak, unless it improves on silence."  -- Buddha
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>> de la Recherche
>> 2, avenue de l'Université
>> L-4365 Esch-sur-Alzette
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>> recipient's key is known to me
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170927/ed7c56b3/attachment.sig>

More information about the Freeradius-Users mailing list