EAP-TLS PKI management

Martin Pauly pauly at hrz.uni-marburg.de
Thu Feb 18 19:12:19 CET 2021


Am 20.01.21 um 17:27 schrieb Munroe Sollog:
> Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.

Neither sure about EAP-TLS nor about Android 11 -- but could you
use an app like eduroam CAT? It can be fed any profile, e.g. from
local file system or USB-OTG through the file/open dialog.
The profile XML format has been defined in an RFC draft:
https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00

Successors to this app for Android 11+ are in the works, e.g. geteduroam.

Here's our eap-config as an example:

<?xml version="1.0" encoding="utf-8"?>

<EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
   <EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1">
     <AuthenticationMethods>
       <AuthenticationMethod>
         <EAPMethod>
           <Type>25</Type>
         </EAPMethod>
         <ServerSideCredential>
           <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
           <ServerID>radius.students.uni-marburg.de</ServerID>
         </ServerSideCredential>
         <ClientSideCredential>
           <OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
           <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
           <InnerIdentityHint>true</InnerIdentityHint>
         </ClientSideCredential>
         <InnerAuthenticationMethod>
           <EAPMethod>
             <Type>26</Type>
           </EAPMethod>
         </InnerAuthenticationMethod>
       </AuthenticationMethod>
       <AuthenticationMethod>
         <EAPMethod>
           <Type>21</Type>
         </EAPMethod>
         <ServerSideCredential>
           <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
           <ServerID>radius.students.uni-marburg.de</ServerID>
         </ServerSideCredential>
         <ClientSideCredential>
           <OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
           <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
           <InnerIdentityHint>true</InnerIdentityHint>
         </ClientSideCredential>
         <InnerAuthenticationMethod>
           <NonEAPAuthMethod>
             <Type>1</Type>
           </NonEAPAuthMethod>
         </InnerAuthenticationMethod>
       </AuthenticationMethod>
     </AuthenticationMethods>
     <CredentialApplicability>
       <IEEE80211>
         <SSID>eduroam</SSID>
         <MinRSNProto>CCMP</MinRSNProto>
       </IEEE80211>
       <IEEE80211>
         <ConsortiumOID>001bc50460</ConsortiumOID>
       </IEEE80211>
     </CredentialApplicability>
     <ProviderInfo>
       <DisplayName>Philipps-Universit├Ąt Marburg - Students Philipps-Universitaet Marburg</DisplayName>
       <ProviderLocation>
         <Longitude>8.773955999999998</Longitude>
         <Latitude>50.8101824</Latitude>
       </ProviderLocation>
       <ProviderLocation>
         <Longitude>8.811504000000014</Longitude>
         <Latitude>50.8122453</Latitude>
       </ProviderLocation>
       <Helpdesk>
         <EmailAddress>wlan at hrz.uni-marburg.de</EmailAddress>
         <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress>
         <Phone>+49 6421 2828282</Phone>
       </Helpdesk>
     </ProviderInfo>
   </EAPIdentityProvider>
</EAPIdentityProviderList>

-- 
    Dr. Martin Pauly     Phone:  +49-6421-28-23527
    HRZ Univ. Marburg    Fax:    +49-6421-28-26994
    Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
    D-35032 Marburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210218/ad5b2d54/attachment.bin>


More information about the Freeradius-Users mailing list