EAP-TLS PKI management

Burn Zero burnzerog at gmail.com
Thu Jun 17 12:50:27 CEST 2021 

Hi,

Were you able to implement the solution? I am also on the same boat. I
would love to hear your work, so that I can get an idea out of it.

Thank you.

On Thu, 18 Feb 2021 at 23:44, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:

> Am 20.01.21 um 17:27 schrieb Munroe Sollog:
> > Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> > that removes the ability for the user to "Do Not Validate" the CA
> > certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> > seems like the best option, however the onboarding of user-brought
> devices
> > seems tricky.
>
> Neither sure about EAP-TLS nor about Android 11 -- but could you
> use an app like eduroam CAT? It can be fed any profile, e.g. from
> local file system or USB-OTG through the file/open dialog.
> The profile XML format has been defined in an RFC draft:
> https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00
>
> Successors to this app for Android 11+ are in the works, e.g. geteduroam.
>
> Here's our eap-config as an example:
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <EAPIdentityProviderList xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
>    <EAPIdentityProvider ID="students.uni-marburg.de"
> namespace="urn:RFC4282:realm" lang="en" version="1">
>      <AuthenticationMethods>
>        <AuthenticationMethod>
>          <EAPMethod>
>            <Type>25</Type>
>          </EAPMethod>
>          <ServerSideCredential>
>            <CA format="X.509"
> encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
>            <ServerID>radius.students.uni-marburg.de</ServerID>
>          </ServerSideCredential>
>          <ClientSideCredential>
>            <OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
>            <InnerIdentitySuffix>students.uni-marburg.de
> </InnerIdentitySuffix>
>            <InnerIdentityHint>true</InnerIdentityHint>
>          </ClientSideCredential>
>          <InnerAuthenticationMethod>
>            <EAPMethod>
>              <Type>26</Type>
>            </EAPMethod>
>          </InnerAuthenticationMethod>
>        </AuthenticationMethod>
>        <AuthenticationMethod>
>          <EAPMethod>
>            <Type>21</Type>
>          </EAPMethod>
>          <ServerSideCredential>
>            <CA format="X.509"
> encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
>            <ServerID>radius.students.uni-marburg.de</ServerID>
>          </ServerSideCredential>
>          <ClientSideCredential>
>            <OuterIdentity>eduroam at students.uni-marburg.de</OuterIdentity>
>            <InnerIdentitySuffix>students.uni-marburg.de
> </InnerIdentitySuffix>
>            <InnerIdentityHint>true</InnerIdentityHint>
>          </ClientSideCredential>
>          <InnerAuthenticationMethod>
>            <NonEAPAuthMethod>
>              <Type>1</Type>
>            </NonEAPAuthMethod>
>          </InnerAuthenticationMethod>
>        </AuthenticationMethod>
>      </AuthenticationMethods>
>      <CredentialApplicability>
>        <IEEE80211>
>          <SSID>eduroam</SSID>
>          <MinRSNProto>CCMP</MinRSNProto>
>        </IEEE80211>
>        <IEEE80211>
>          <ConsortiumOID>001bc50460</ConsortiumOID>
>        </IEEE80211>
>      </CredentialApplicability>
>      <ProviderInfo>
>        <DisplayName>Philipps-Universität Marburg - Students
> Philipps-Universitaet Marburg</DisplayName>
>        <ProviderLocation>
>          <Longitude>8.773955999999998</Longitude>
>          <Latitude>50.8101824</Latitude>
>        </ProviderLocation>
>        <ProviderLocation>
>          <Longitude>8.811504000000014</Longitude>
>          <Latitude>50.8122453</Latitude>
>        </ProviderLocation>
>        <Helpdesk>
>          <EmailAddress>wlan at hrz.uni-marburg.de</EmailAddress>
>          <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress>
>          <Phone>+49 6421 2828282</Phone>
>        </Helpdesk>
>      </ProviderInfo>
>    </EAPIdentityProvider>
> </EAPIdentityProviderList>
>
> --
>     Dr. Martin Pauly     Phone:  +49-6421-28-23527
>     HRZ Univ. Marburg    Fax:    +49-6421-28-26994
>     Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
>     D-35032 Marburg
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list