Freeradius, BYOD and certs
Greg Sloop <email@example.com>
gregs at sloop.net
Thu Dec 2 22:46:15 CET 2021
This doesn't address the, "How do you make this work..." aspect - but if
you haven't, reading this might be helpful or scary, depending... (I guess
how scary it is, depends on your security stance.)
On Thu, Dec 2, 2021 at 1:39 PM Adam Taylor via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:
> You need to generate a CSR in FreeRadius and get a cert signed by a CA.
> You then need to only modify your eap module config file to point to the
> new cert files.
> The cert needs to be set with multiple aliases if you have multiple
> FreeRadius servers. We have two and the cert is good for radius1.XXX.com
> and radius2.xxx.com with the main cert FQDN, the domain you enter in
> Android, of the cert as auth.xxx.com
> So our users type in auth.xxx.com for domain and their user/pass and get
> auth'd and on the network. We use PEAP where FreeRadius queries our LDAP
> server for the users NT/LM hashes and auths....our LDAP is NOT the one
> deciding yes/no for authentication....that's FreeRadius's job....not LDAP's.
> We ran into this back when Android starting enforcing the cert requirement
> on the Dec 2020 update patch. I'm not in any way connected to the
> FreeRadius group here though so YMMV depending on version and other
> things. Just trying to be helpful and help point you in the right
> direction. We have had this config running since March without any issues
> to report. Good Luck!
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+ataylor=
> ulm.edu at lists.freeradius.org> On Behalf Of Chris Bradley
> Sent: Thursday, December 2, 2021 3:11 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius, BYOD and certs
> ULM CAUTION! This email was sent from an external sender. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
> Hi everyone!
> We're trying to update our freeradius so that it will work with Android
> 11+ clients without using the "do not validate" option.
> What we want to do is allow BYOD devices to connect to our freeradius
> server (using LDAP authentication) and connect by putting the domain entry
> in for connecting with an android.
> Freeradius is working fine with LDAP.
> Ultimately, I'm trying to put a certificate on the freeradius server so
> that BYOD clients (android 11+ specifically) can authenticate using LDAP
> *without* them having to download a certificate from somewhere before
> attempting the connection to freeradius.
> From what I understand, I can't do that with a wildcard certificate or a
> self-signed one.
> So, if that's possible, I need some guidance on how to get it accomplished
> and what kind of cert I need to procure.
> This message originated from Bartholomew Consolidated School Corporation,
> Columbus, Indiana.
> The message and any attachments may be confidential or privileged and are
> intended only for the individual or entity identified above as the
> addressee. This email should not be disseminated, distributed, or copied.
> If you are not the addressee, or if this message has been addressed to you
> in error, you are not authorized to read, copy or distribute this message
> or any attachments; and we ask that you please delete it and notify the
> sender by return e-mail. Delivery of this message and any attachments to
> any person other than the intended recipient(s) is not intended in any way
> to waive confidentiality or a privilege. All personal messages express
> views only of the sender, which are not to be attributed to Bartholomew
> Consolidated School Corporation, and may not be copied or distributed
> without this statement.
> List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users