EAP-TLS PKI management
Martin Pauly
pauly at hrz.uni-marburg.de
Thu Feb 18 19:12:19 CET 2021
Am 20.01.21 um 17:27 schrieb Munroe Sollog:
> Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.
Neither sure about EAP-TLS nor about Android 11 -- but could you
use an app like eduroam CAT? It can be fed any profile, e.g. from
local file system or USB-OTG through the file/open dialog.
The profile XML format has been defined in an RFC draft:
https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00
Successors to this app for Android 11+ are in the works, e.g. geteduroam.
Here's our eap-config as an example:
<?xml version="1.0" encoding="utf-8"?>
<EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
<EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1">
<AuthenticationMethods>
<AuthenticationMethod>
<EAPMethod>
<Type>25</Type>
</EAPMethod>
<ServerSideCredential>
<CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
<ServerID>radius.students.uni-marburg.de</ServerID>
</ServerSideCredential>
<ClientSideCredential>
<OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
<InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
<InnerIdentityHint>true</InnerIdentityHint>
</ClientSideCredential>
<InnerAuthenticationMethod>
<EAPMethod>
<Type>26</Type>
</EAPMethod>
</InnerAuthenticationMethod>
</AuthenticationMethod>
<AuthenticationMethod>
<EAPMethod>
<Type>21</Type>
</EAPMethod>
<ServerSideCredential>
<CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
<ServerID>radius.students.uni-marburg.de</ServerID>
</ServerSideCredential>
<ClientSideCredential>
<OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
<InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
<InnerIdentityHint>true</InnerIdentityHint>
</ClientSideCredential>
<InnerAuthenticationMethod>
<NonEAPAuthMethod>
<Type>1</Type>
</NonEAPAuthMethod>
</InnerAuthenticationMethod>
</AuthenticationMethod>
</AuthenticationMethods>
<CredentialApplicability>
<IEEE80211>
<SSID>eduroam</SSID>
<MinRSNProto>CCMP</MinRSNProto>
</IEEE80211>
<IEEE80211>
<ConsortiumOID>001bc50460</ConsortiumOID>
</IEEE80211>
</CredentialApplicability>
<ProviderInfo>
<DisplayName>Philipps-Universität Marburg - Students Philipps-Universitaet Marburg</DisplayName>
<ProviderLocation>
<Longitude>8.773955999999998</Longitude>
<Latitude>50.8101824</Latitude>
</ProviderLocation>
<ProviderLocation>
<Longitude>8.811504000000014</Longitude>
<Latitude>50.8122453</Latitude>
</ProviderLocation>
<Helpdesk>
<EmailAddress>wlan at hrz.uni-marburg.de</EmailAddress>
<WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress>
<Phone>+49 6421 2828282</Phone>
</Helpdesk>
</ProviderInfo>
</EAPIdentityProvider>
</EAPIdentityProviderList>
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210218/ad5b2d54/attachment.bin>
More information about the Freeradius-Users
mailing list