Freeradius, BYOD and certs

Alan DeKok aland at
Fri Dec 3 00:55:50 CET 2021

On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc at> wrote:
> What we want to do is allow BYOD devices to connect to our freeradius
> server (using LDAP authentication) and connect by putting the domain entry
> in for connecting with an android.

  That *might* work.  However...  many systems have known root CAs enabled for web surfing, but disabled for EAP.  Which means the only way to get WiFi working is to ??? somehow enable / add a root CA.

  I've been arguing this point with the various standards bodies for a while.  Apparently the people who interact with customers are few and far between there.  So things hated by real people just aren't a priority to fix in the standards. :(

> Ultimately, I'm trying to put a certificate on the freeradius server so
> that BYOD clients (android 11+ specifically) can authenticate using LDAP
> *without* them having to download a certificate from somewhere before
> attempting the connection to freeradius.

  I've bene trying to do the same thing for a while.  it's hard.

  The simple answer is things like Eduroam CAT:

  It get you a simple tool to configure end-user machines.  But it means you should be part of Eduroam.  Which you might want to do anyways...

> From what I understand, I can't do that with a wildcard certificate or a
> self-signed one.
> So, if that's possible, I need some guidance on how to get it accomplished
> and what kind of cert I need to procure.

  "Here be dragons"  :(

  OS / Phone vendors randomly change requirements, UI, processes, work flows, etc. for WiFi configuration.  It's a huge problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list