Freeradius, BYOD and certs
aland at deployingradius.com
Fri Dec 3 00:55:50 CET 2021
On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc at bcsc.k12.in.us> wrote:
> What we want to do is allow BYOD devices to connect to our freeradius
> server (using LDAP authentication) and connect by putting the domain entry
> in for connecting with an android.
That *might* work. However... many systems have known root CAs enabled for web surfing, but disabled for EAP. Which means the only way to get WiFi working is to ??? somehow enable / add a root CA.
I've been arguing this point with the various standards bodies for a while. Apparently the people who interact with customers are few and far between there. So things hated by real people just aren't a priority to fix in the standards. :(
> Ultimately, I'm trying to put a certificate on the freeradius server so
> that BYOD clients (android 11+ specifically) can authenticate using LDAP
> *without* them having to download a certificate from somewhere before
> attempting the connection to freeradius.
I've bene trying to do the same thing for a while. it's hard.
The simple answer is things like Eduroam CAT: https://cat.eduroam.org/
It get you a simple tool to configure end-user machines. But it means you should be part of Eduroam. Which you might want to do anyways...
> From what I understand, I can't do that with a wildcard certificate or a
> self-signed one.
> So, if that's possible, I need some guidance on how to get it accomplished
> and what kind of cert I need to procure.
"Here be dragons" :(
OS / Phone vendors randomly change requirements, UI, processes, work flows, etc. for WiFi configuration. It's a huge problem.
More information about the Freeradius-Users