[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: EAP-TLS PKI management
From: Martin Pauly <pauly () hrz ! uni-marburg ! de>
Date: 2021-02-18 18:12:19
Message-ID: 04edfb74-c04b-d4a9-f34f-8910b6a7cf53 () hrz ! uni-marburg ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Am 20.01.21 um 17:27 schrieb Munroe Sollog:
> Has anyone deployed EAP-TLS in concert with BYOD? This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution. EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.
Neither sure about EAP-TLS nor about Android 11 -- but could you
use an app like eduroam CAT? It can be fed any profile, e.g. from
local file system or USB-OTG through the file/open dialog.
The profile XML format has been defined in an RFC draft:
https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00
Successors to this app for Android 11+ are in the works, e.g. geteduroam.
Here's our eap-config as an example:
<?xml version="1.0" encoding="utf-8"?>
<EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xsi:noNamespaceSchemaLocation="eap-metadata.xsd"> <EAPIdentityProvider \
ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1"> \
<AuthenticationMethods> <AuthenticationMethod>
<EAPMethod>
<Type>25</Type>
</EAPMethod>
<ServerSideCredential>
<CA format="X.509" \
encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzAp \
BgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcn \
VzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0 \
WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIF \
NlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl \
YyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXP \
Si5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAI \
xlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqX \
FP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOy \
CxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1 \
UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkq \
hkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla \
0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA \
5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwX \
hjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
<ServerID>radius.students.uni-marburg.de</ServerID>
</ServerSideCredential>
<ClientSideCredential>
<OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity>
<InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
<InnerIdentityHint>true</InnerIdentityHint>
</ClientSideCredential>
<InnerAuthenticationMethod>
<EAPMethod>
<Type>26</Type>
</EAPMethod>
</InnerAuthenticationMethod>
</AuthenticationMethod>
<AuthenticationMethod>
<EAPMethod>
<Type>21</Type>
</EAPMethod>
<ServerSideCredential>
<CA format="X.509" \
encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzAp \
BgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcn \
VzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0 \
WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIF \
NlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl \
YyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXP \
Si5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAI \
xlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqX \
FP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOy \
CxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1 \
UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkq \
hkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla \
0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA \
5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwX \
hjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
<ServerID>radius.students.uni-marburg.de</ServerID>
</ServerSideCredential>
<ClientSideCredential>
<OuterIdentity>eduroam@students.uni-marburg.de</OuterIdentity>
<InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
<InnerIdentityHint>true</InnerIdentityHint>
</ClientSideCredential>
<InnerAuthenticationMethod>
<NonEAPAuthMethod>
<Type>1</Type>
</NonEAPAuthMethod>
</InnerAuthenticationMethod>
</AuthenticationMethod>
</AuthenticationMethods>
<CredentialApplicability>
<IEEE80211>
<SSID>eduroam</SSID>
<MinRSNProto>CCMP</MinRSNProto>
</IEEE80211>
<IEEE80211>
<ConsortiumOID>001bc50460</ConsortiumOID>
</IEEE80211>
</CredentialApplicability>
<ProviderInfo>
<DisplayName>Philipps-Universität Marburg - Students Philipps-Universitaet \
Marburg</DisplayName> <ProviderLocation>
<Longitude>8.773955999999998</Longitude>
<Latitude>50.8101824</Latitude>
</ProviderLocation>
<ProviderLocation>
<Longitude>8.811504000000014</Longitude>
<Latitude>50.8122453</Latitude>
</ProviderLocation>
<Helpdesk>
<EmailAddress>wlan@hrz.uni-marburg.de</EmailAddress>
<WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress>
<Phone>+49 6421 2828282</Phone>
</Helpdesk>
</ProviderInfo>
</EAPIdentityProvider>
</EAPIdentityProviderList>
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE
D-35032 Marburg
["smime.p7s" (application/pkcs7-signature)]
[Attachment #6 (text/plain)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic