EAP TLS certificates - Questions

Fri Dec 10 15:06:28 CET 2021

On Dec 10, 2021, at 9:00 AM, Anssi Saari <as at sci.fi> wrote:
> 
> Hm. I'm not sure you understood they Elias's question? As I understood
> it, it was "what needs to go in the domain field of wifi settings in
> Android devices that won't let you leave it empty?" I believe I answered
> that but his followup question I don't understand. And I'm not sure my
> answer is correct, it's just "it works for me". Maybe because of some
> fluke or bug in Android.

  The SubjectAltName field has to be a domain name.  The client device should be configured with the same domain name.

  This practice is similar to web surfing, but for EAP.  "I want to connect to foo.com, and the web site / EAP server presents a certificate for foo.com"

> Come to think of it, do you have some idea why Android devices even have
> a domain field in their wifi settings? NetworkManager in Linux too. Does
> it have some standard meaning in EAP in general? And is the meaning
> what Android now requires, namely that domain and server cert's CN
> match, something that makes sense to you? Or are these too much of
> client side questions?

  The new WBA standards are now requiring this behavior.

  I've been arguing with the standards body people for ~3 years on how to get this done (a) easily, and (b) securely.  The main problem is that many of the standards people are far removed from customer interaction.  So they don't understand that configuring WiFi is painful and horrible for most people.

  Alan DeKok.