Freeradius, BYOD and certs

Greg Sloop <gregs@sloop.net> gregs at sloop.net
Thu Dec 2 22:46:15 CET 2021


This doesn't address the, "How do you make this work..." aspect - but if
you haven't, reading this might be helpful or scary, depending... (I guess
how scary it is, depends on your security stance.)

https://networkradius.com/articles/2021/08/04/wifi-spoofing.html



On Thu, Dec 2, 2021 at 1:39 PM Adam Taylor via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> You need to generate a CSR in FreeRadius and get a cert signed by a CA.
>
> You then need to only modify your eap module config file to point to the
> new cert files.
>
> The cert needs to be set with multiple aliases if you have multiple
> FreeRadius servers.  We have two and the cert is good for radius1.XXX.com
> and radius2.xxx.com with the main cert FQDN, the domain you enter in
> Android, of the cert as auth.xxx.com
>
> So our users type in auth.xxx.com for domain and their user/pass and get
> auth'd and on the network.  We use PEAP where FreeRadius queries our LDAP
> server for the users NT/LM hashes and auths....our LDAP is NOT the one
> deciding yes/no for authentication....that's FreeRadius's job....not LDAP's.
>
> We ran into this back when Android starting enforcing the cert requirement
> on the Dec 2020 update patch.  I'm not in any way connected to the
> FreeRadius group here though so YMMV depending on version and other
> things.  Just trying to be helpful and help point you in the right
> direction.  We have had this config running since March without any issues
> to report.  Good Luck!
>
> Adam
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+ataylor=
> ulm.edu at lists.freeradius.org> On Behalf Of Chris Bradley
> Sent: Thursday, December 2, 2021 3:11 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius, BYOD and certs
>
> ULM CAUTION! This email was sent from an external sender.  Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> Hi everyone!
>
> We're trying to update our freeradius so that it will work with Android
> 11+ clients without using the "do not validate" option.
>
> What we want to do is allow BYOD devices to connect to our freeradius
> server (using LDAP authentication) and connect by putting the domain entry
> in for connecting with an android.
>
> Freeradius is working fine with LDAP.
>
> Ultimately, I'm trying to put a certificate on the freeradius server so
> that BYOD clients (android 11+ specifically) can authenticate using LDAP
> *without* them having to download a certificate from somewhere before
> attempting the connection to freeradius.
>
> From what I understand, I can't do that with a wildcard certificate or a
> self-signed one.
>
> So, if that's possible, I need some guidance on how to get it accomplished
> and what kind of cert I need to procure.
>
> Thanks!
>
> --
>
> This message originated from Bartholomew Consolidated School Corporation,
> Columbus, Indiana.
>
>
> The message and any attachments may be confidential or privileged and are
> intended only for the individual or entity identified above as the
> addressee. This email should not be disseminated, distributed, or copied.
> If you are not the addressee, or if this message has been addressed to you
> in error, you are not authorized to read, copy or distribute this message
> or any attachments; and we ask that you please delete it and notify the
> sender by return e-mail. Delivery of this message and any attachments to
> any person other than the intended recipient(s) is not intended in any way
> to waive confidentiality or a privilege. All personal messages express
> views only of the sender, which are not to be attributed to Bartholomew
> Consolidated School Corporation, and may not be copied or distributed
> without this statement.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Cataylor%40ulm.edu%7Cafdc0ed28a8a479ce46808d9b5d885e3%7C90963b0cb03044fba95a9e359af4f668%7C1%7C0%7C637740763833658757%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rAHFA6byMXdJqhcN3oJg1IT3vbFwU2o3HNSZ8UYYjeU%3D&reserved=0
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list