EAP-TLS PKI management

Munroe Sollog mus3 at lehigh.edu
Wed Jan 20 17:41:59 CET 2021

Are suggesting use passpoint to push the cert out, but keep using PEAP, or
are you suggesting use passpoint as the vehicle to onboard client certs for

I guess it could be either?

On Wed, Jan 20, 2021 at 11:38 AM Alan DeKok <aland at deployingradius.com>

> On Jan 20, 2021, at 11:27 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> >
> > Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> > that removes the ability for the user to "Do Not Validate" the CA
> > certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> > seems like the best option, however the onboarding of user-brought
> devices
> > seems tricky.
>   It definitely becomes harder.
> > With MDM or AD-joined devices pushing the certificates out are easy. In
> an
> > environment where "bring your own device" is encouraged, I'm curious how
> > network admins are making client certificate installations easy enough
> for
> > end users to do.
>   Use WiFi Passpoint for Hotspot 2.0.  Most enterprise APs should support
> this, and it shouldn't be too hard to configure.
>   Or, MDM or AD, unfortunately.  Most systems have now removed the ability
> for users to manually configure certificate settings.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Munroe Sollog (He/Him/His)
Senior Network Engineer
munroe at lehigh.edu

More information about the Freeradius-Users mailing list