EAP TLS certificates - Questions
empbilly at gmail.com
Thu Dec 16 17:56:56 CET 2021
The problem is this new android 11 rule that requires us to put
the domain in the EAP-TLS configuration. It's a pain in the ass!
Anyway, I will try the extra settings that are requested.
On Fri, Dec 10, 2021 at 11:06 AM Alan DeKok <aland at deployingradius.com>
> On Dec 10, 2021, at 9:00 AM, Anssi Saari <as at sci.fi> wrote:
> > Hm. I'm not sure you understood they Elias's question? As I understood
> > it, it was "what needs to go in the domain field of wifi settings in
> > Android devices that won't let you leave it empty?" I believe I answered
> > that but his followup question I don't understand. And I'm not sure my
> > answer is correct, it's just "it works for me". Maybe because of some
> > fluke or bug in Android.
> The SubjectAltName field has to be a domain name. The client device
> should be configured with the same domain name.
> This practice is similar to web surfing, but for EAP. "I want to
> connect to foo.com, and the web site / EAP server presents a certificate
> for foo.com"
> > Come to think of it, do you have some idea why Android devices even have
> > a domain field in their wifi settings? NetworkManager in Linux too. Does
> > it have some standard meaning in EAP in general? And is the meaning
> > what Android now requires, namely that domain and server cert's CN
> > match, something that makes sense to you? Or are these too much of
> > client side questions?
> The new WBA standards are now requiring this behavior.
> I've been arguing with the standards body people for ~3 years on how to
> get this done (a) easily, and (b) securely. The main problem is that many
> of the standards people are far removed from customer interaction. So they
> don't understand that configuring WiFi is painful and horrible for most
> Alan DeKok.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users