Freeradius, BYOD and certs
ataylor at ulm.edu
Thu Dec 2 22:38:02 CET 2021
You need to generate a CSR in FreeRadius and get a cert signed by a CA.
You then need to only modify your eap module config file to point to the new cert files.
The cert needs to be set with multiple aliases if you have multiple FreeRadius servers. We have two and the cert is good for radius1.XXX.com and radius2.xxx.com with the main cert FQDN, the domain you enter in Android, of the cert as auth.xxx.com
So our users type in auth.xxx.com for domain and their user/pass and get auth'd and on the network. We use PEAP where FreeRadius queries our LDAP server for the users NT/LM hashes and auths....our LDAP is NOT the one deciding yes/no for authentication....that's FreeRadius's job....not LDAP's.
We ran into this back when Android starting enforcing the cert requirement on the Dec 2020 update patch. I'm not in any way connected to the FreeRadius group here though so YMMV depending on version and other things. Just trying to be helpful and help point you in the right direction. We have had this config running since March without any issues to report. Good Luck!
From: Freeradius-Users <freeradius-users-bounces+ataylor=ulm.edu at lists.freeradius.org> On Behalf Of Chris Bradley
Sent: Thursday, December 2, 2021 3:11 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius, BYOD and certs
ULM CAUTION! This email was sent from an external sender. Do not click links or open attachments unless you recognize the sender and know the content is safe.
We're trying to update our freeradius so that it will work with Android 11+ clients without using the "do not validate" option.
What we want to do is allow BYOD devices to connect to our freeradius server (using LDAP authentication) and connect by putting the domain entry in for connecting with an android.
Freeradius is working fine with LDAP.
Ultimately, I'm trying to put a certificate on the freeradius server so that BYOD clients (android 11+ specifically) can authenticate using LDAP
*without* them having to download a certificate from somewhere before attempting the connection to freeradius.
>From what I understand, I can't do that with a wildcard certificate or a self-signed one.
So, if that's possible, I need some guidance on how to get it accomplished and what kind of cert I need to procure.
This message originated from Bartholomew Consolidated School Corporation, Columbus, Indiana.
The message and any attachments may be confidential or privileged and are intended only for the individual or entity identified above as the addressee. This email should not be disseminated, distributed, or copied. If you are not the addressee, or if this message has been addressed to you in error, you are not authorized to read, copy or distribute this message or any attachments; and we ask that you please delete it and notify the sender by return e-mail. Delivery of this message and any attachments to any person other than the intended recipient(s) is not intended in any way to waive confidentiality or a privilege. All personal messages express views only of the sender, which are not to be attributed to Bartholomew Consolidated School Corporation, and may not be copied or distributed without this statement.
List info/subscribe/unsubscribe? See https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Cataylor%40ulm.edu%7Cafdc0ed28a8a479ce46808d9b5d885e3%7C90963b0cb03044fba95a9e359af4f668%7C1%7C0%7C637740763833658757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rAHFA6byMXdJqhcN3oJg1IT3vbFwU2o3HNSZ8UYYjeU%3D&reserved=0
More information about the Freeradius-Users