EAP TLS certificates - Questions

[Elias Pereira]

The problem is this new android 11 rule that requires us to put
the domain in the EAP-TLS configuration. It's a pain in the ass!

Anyway, I will try the extra settings that are requested.

On Fri, Dec 10, 2021 at 11:06 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 10, 2021, at 9:00 AM, Anssi Saari <as at sci.fi> wrote:
> >
> > Hm. I'm not sure you understood they Elias's question? As I understood
> > it, it was "what needs to go in the domain field of wifi settings in
> > Android devices that won't let you leave it empty?" I believe I answered
> > that but his followup question I don't understand. And I'm not sure my
> > answer is correct, it's just "it works for me". Maybe because of some
> > fluke or bug in Android.
>
>   The SubjectAltName field has to be a domain name.  The client device
> should be configured with the same domain name.
>
>   This practice is similar to web surfing, but for EAP.  "I want to
> connect to foo.com, and the web site / EAP server presents a certificate
> for foo.com"
>
> > Come to think of it, do you have some idea why Android devices even have
> > a domain field in their wifi settings? NetworkManager in Linux too. Does
> > it have some standard meaning in EAP in general? And is the meaning
> > what Android now requires, namely that domain and server cert's CN
> > match, something that makes sense to you? Or are these too much of
> > client side questions?
>
>   The new WBA standards are now requiring this behavior.
>
>   I've been arguing with the standards body people for ~3 years on how to
> get this done (a) easily, and (b) securely.  The main problem is that many
> of the standards people are far removed from customer interaction.  So they
> don't understand that configuring WiFi is painful and horrible for most
> people.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
Elias Pereira