Freeradius, BYOD and certs

Munroe Sollog mus3 at
Fri Dec 3 01:06:04 CET 2021

Not particularly helpful today, but in the WPA3 standard there is an
/optional/ standard called DPP or EasyConnect. It was born from the old
WIPS protocol. DPP is meant as a general onboarding standard primarily
focused for IoT devices, but nothing explicitly prevents it from being used
more generally.

Basically, it creates an out-of-band connection (think Bluetooth) to a
configuration node which will push a wireless config (including certs).  At
this point I’m not sure anyone actually supports it, but at least it’s an
adopted standard (even though it’s an optional one).

Maybe one day these frustrations will be behind us

On Thu, Dec 2, 2021 at 6:56 PM Alan DeKok <aland at> wrote:

> On Dec 2, 2021, at 4:10 PM, Chris Bradley <bradleyc at> wrote:
> > What we want to do is allow BYOD devices to connect to our freeradius
> > server (using LDAP authentication) and connect by putting the domain
> entry
> > in for connecting with an android.
>   That *might* work.  However...  many systems have known root CAs enabled
> for web surfing, but disabled for EAP.  Which means the only way to get
> WiFi working is to ??? somehow enable / add a root CA.
>   I've been arguing this point with the various standards bodies for a
> while.  Apparently the people who interact with customers are few and far
> between there.  So things hated by real people just aren't a priority to
> fix in the standards. :(
> > Ultimately, I'm trying to put a certificate on the freeradius server so
> > that BYOD clients (android 11+ specifically) can authenticate using LDAP
> > *without* them having to download a certificate from somewhere before
> > attempting the connection to freeradius.
>   I've bene trying to do the same thing for a while.  it's hard.
>   The simple answer is things like Eduroam CAT:
>   It get you a simple tool to configure end-user machines.  But it means
> you should be part of Eduroam.  Which you might want to do anyways...
> > From what I understand, I can't do that with a wildcard certificate or a
> > self-signed one.
> >
> > So, if that's possible, I need some guidance on how to get it
> accomplished
> > and what kind of cert I need to procure.
>   "Here be dragons"  :(
>   OS / Phone vendors randomly change requirements, UI, processes, work
> flows, etc. for WiFi configuration.  It's a huge problem.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
Munroe Sollog (He/Him/His)
Network Architect
munroe at

More information about the Freeradius-Users mailing list