EAP-TLS PKI management

Alan DeKok aland at deployingradius.com
Wed Jan 20 17:37:53 CET 2021

On Jan 20, 2021, at 11:27 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.

  It definitely becomes harder.

> With MDM or AD-joined devices pushing the certificates out are easy. In an
> environment where "bring your own device" is encouraged, I'm curious how
> network admins are making client certificate installations easy enough for
> end users to do.

  Use WiFi Passpoint for Hotspot 2.0.  Most enterprise APs should support this, and it shouldn't be too hard to configure.

  Or, MDM or AD, unfortunately.  Most systems have now removed the ability for users to manually configure certificate settings.

  Alan DeKok.

More information about the Freeradius-Users mailing list