EAP-TLS PKI management

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

EAP-TLS PKI management

Munroe Sollog
Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
that removes the ability for the user to "Do Not Validate" the CA
certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
seems like the best option, however the onboarding of user-brought devices
seems tricky.

With MDM or AD-joined devices pushing the certificates out are easy. In an
environment where "bring your own device" is encouraged, I'm curious how
network admins are making client certificate installations easy enough for
end users to do.

Android 11 change article for reference:
https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/
--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Alan DeKok-2
On Jan 20, 2021, at 11:27 AM, Munroe Sollog <[hidden email]> wrote:
>
> Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.

  It definitely becomes harder.

> With MDM or AD-joined devices pushing the certificates out are easy. In an
> environment where "bring your own device" is encouraged, I'm curious how
> network admins are making client certificate installations easy enough for
> end users to do.

  Use WiFi Passpoint for Hotspot 2.0.  Most enterprise APs should support this, and it shouldn't be too hard to configure.

  Or, MDM or AD, unfortunately.  Most systems have now removed the ability for users to manually configure certificate settings.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Munroe Sollog
Are suggesting use passpoint to push the cert out, but keep using PEAP, or
are you suggesting use passpoint as the vehicle to onboard client certs for
EAP-TLS?

I guess it could be either?

On Wed, Jan 20, 2021 at 11:38 AM Alan DeKok <[hidden email]>
wrote:

> On Jan 20, 2021, at 11:27 AM, Munroe Sollog <[hidden email]> wrote:
> >
> > Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> > that removes the ability for the user to "Do Not Validate" the CA
> > certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> > seems like the best option, however the onboarding of user-brought
> devices
> > seems tricky.
>
>   It definitely becomes harder.
>
> > With MDM or AD-joined devices pushing the certificates out are easy. In
> an
> > environment where "bring your own device" is encouraged, I'm curious how
> > network admins are making client certificate installations easy enough
> for
> > end users to do.
>
>   Use WiFi Passpoint for Hotspot 2.0.  Most enterprise APs should support
> this, and it shouldn't be too hard to configure.
>
>   Or, MDM or AD, unfortunately.  Most systems have now removed the ability
> for users to manually configure certificate settings.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Alan DeKok-2


> On Jan 20, 2021, at 11:41 AM, Munroe Sollog <[hidden email]> wrote:
>
> Are suggesting use passpoint to push the cert out, but keep using PEAP, or
> are you suggesting use passpoint as the vehicle to onboard client certs for
> EAP-TLS?
>
> I guess it could be either?

  Passpoint is about client configuration.  It's not just for EAP-TLS.

  We have people using Passpoint for EAP-SIM, for example.  It's fine.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Munroe Sollog
Thanks for the pointers.  I'll investigate.

On Wed, Jan 20, 2021 at 11:46 AM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Jan 20, 2021, at 11:41 AM, Munroe Sollog <[hidden email]> wrote:
> >
> > Are suggesting use passpoint to push the cert out, but keep using PEAP,
> or
> > are you suggesting use passpoint as the vehicle to onboard client certs
> for
> > EAP-TLS?
> >
> > I guess it could be either?
>
>   Passpoint is about client configuration.  It's not just for EAP-TLS.
>
>   We have people using Passpoint for EAP-SIM, for example.  It's fine.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog (He/Him/His)
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Alan Buxey
In reply to this post by Munroe Sollog
Hi

In a previous employment we used clouthpath ES (a commercial solution) that
allows users to enroll  and manage their  own certs for EAP-TLS). It's now
owned by Ruckus.  FreeRADIUS ran the show and we were able to move most
PEAP to EAP-TLS
(Particularly the BYOD crowd)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS PKI management

Martin Pauly
In reply to this post by Munroe Sollog
Am 20.01.21 um 17:27 schrieb Munroe Sollog:
> Has anyone deployed EAP-TLS in concert with BYOD?  This Android 11 change
> that removes the ability for the user to "Do Not Validate" the CA
> certificate has forced us to re-evaluate our .1x PEAP solution.  EAP-TLS
> seems like the best option, however the onboarding of user-brought devices
> seems tricky.

Neither sure about EAP-TLS nor about Android 11 -- but could you
use an app like eduroam CAT? It can be fed any profile, e.g. from
local file system or USB-OTG through the file/open dialog.
The profile XML format has been defined in an RFC draft:
https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-00

Successors to this app for Android 11+ are in the works, e.g. geteduroam.

Here's our eap-config as an example:

<?xml version="1.0" encoding="utf-8"?>

<EAPIdentityProviderList xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="eap-metadata.xsd">
   <EAPIdentityProvider ID="students.uni-marburg.de" namespace="urn:RFC4282:realm" lang="en" version="1">
     <AuthenticationMethods>
       <AuthenticationMethod>
         <EAPMethod>
           <Type>25</Type>
         </EAPMethod>
         <ServerSideCredential>
           <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
           <ServerID>radius.students.uni-marburg.de</ServerID>
         </ServerSideCredential>
         <ClientSideCredential>
           <OuterIdentity>[hidden email]</OuterIdentity>
           <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
           <InnerIdentityHint>true</InnerIdentityHint>
         </ClientSideCredential>
         <InnerAuthenticationMethod>
           <EAPMethod>
             <Type>26</Type>
           </EAPMethod>
         </InnerAuthenticationMethod>
       </AuthenticationMethod>
       <AuthenticationMethod>
         <EAPMethod>
           <Type>21</Type>
         </EAPMethod>
         <ServerSideCredential>
           <CA format="X.509" encoding="base64">MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg==</CA>
           <ServerID>radius.students.uni-marburg.de</ServerID>
         </ServerSideCredential>
         <ClientSideCredential>
           <OuterIdentity>[hidden email]</OuterIdentity>
           <InnerIdentitySuffix>students.uni-marburg.de</InnerIdentitySuffix>
           <InnerIdentityHint>true</InnerIdentityHint>
         </ClientSideCredential>
         <InnerAuthenticationMethod>
           <NonEAPAuthMethod>
             <Type>1</Type>
           </NonEAPAuthMethod>
         </InnerAuthenticationMethod>
       </AuthenticationMethod>
     </AuthenticationMethods>
     <CredentialApplicability>
       <IEEE80211>
         <SSID>eduroam</SSID>
         <MinRSNProto>CCMP</MinRSNProto>
       </IEEE80211>
       <IEEE80211>
         <ConsortiumOID>001bc50460</ConsortiumOID>
       </IEEE80211>
     </CredentialApplicability>
     <ProviderInfo>
       <DisplayName>Philipps-Universit├Ąt Marburg - Students Philipps-Universitaet Marburg</DisplayName>
       <ProviderLocation>
         <Longitude>8.773955999999998</Longitude>
         <Latitude>50.8101824</Latitude>
       </ProviderLocation>
       <ProviderLocation>
         <Longitude>8.811504000000014</Longitude>
         <Latitude>50.8122453</Latitude>
       </ProviderLocation>
       <Helpdesk>
         <EmailAddress>[hidden email]</EmailAddress>
         <WebAddress>http://www.uni-marburg.de/hrz/internet</WebAddress>
         <Phone>+49 6421 2828282</Phone>
       </Helpdesk>
     </ProviderInfo>
   </EAPIdentityProvider>
</EAPIdentityProviderList>

--
    Dr. Martin Pauly     Phone:  +49-6421-28-23527
    HRZ Univ. Marburg    Fax:    +49-6421-28-26994
    Hans-Meerwein-Str.   E-Mail: [hidden email]
    D-35032 Marburg



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment