EAP-TLS and IOS 13

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

EAP-TLS and IOS 13

thyde_rsi
I love *pple. And by love I mean exactly the opposite.....Regardless, my
many thanks to all that assisted with my tribulations and blatherings
regarding getting ipads and Win10 machines working with an EAP-TLS
environment. As of this morning I had everything migrated, wiped,
re-tested, full bare-metal automation tested and ready to deploy to the
minions. I had a very happy moment.

Until someone walked in with an ipad that they just upgraded to IOS 13.

tl/dr: IOS13 introduces more stringent compliance for certificates
(https://support.apple.com/en-us/HT210176) and that means certificates
that used to work for EAP, now do not install - well that's not true.
They install, they say they're verified, but the ipad does not recognize
them as useful, and ONLY presents a TTLS-like connection interface
(username and password, instead of certificate and identity). They
simply sit there all happy and useless. (BTW, manual cert install is now
an 8 page document in my library, including download, allow,accept,
enable Cert Trust Settings, install, validate and....then watch do
nothing.) Since the ipad does not present a tls transaction, FR3 doesn't
participate. I am not using EAP-TTLS, so that module does exactly what
is it supposed to do - find no verified username and reject.

I've used my google-fu to get the basic idea of modifying the openssl
commands to include the EKU, and sha2, but some of the other
requirements I'm not sure about implementing. The "no longer than 2
years" is also a PITA. Either way, has anyone worked out a magic bullet
for this yet? Amazingly, M$ is no longer on my hated list - the Win10
machines are now in the "it simply works" category! Longing to learn
from the masters, yet again!

Thanks,

Ted.


On 11/1/2019 6:56 PM, [hidden email] wrote:
> Message: 6
> Date: Fri, 1 Nov 2019 16:22:30 -0400
> From: "Ted Hyde (RSI)"<[hidden email]>
> To:[hidden email]
> Subject: Migrating FR3 instance

--
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS and IOS 13

Alan DeKok-2
On Nov 4, 2019, at 2:18 PM, Ted Hyde (RSI) <[hidden email]> wrote:
>
> I love *pple. And by love I mean exactly the opposite.....Regardless, my many thanks to all that assisted with my tribulations and blatherings regarding getting ipads and Win10 machines working with an EAP-TLS environment. As of this morning I had everything migrated, wiped, re-tested, full bare-metal automation tested and ready to deploy to the minions. I had a very happy moment.
>
> Until someone walked in with an ipad that they just upgraded to IOS 13.

  Oops.

> tl/dr: IOS13 introduces more stringent compliance for certificates (https://support.apple.com/en-us/HT210176) and that means certificates that used to work for EAP, now do not install - well that's not true. They install, they say they're verified, but the ipad does not recognize them as useful, and ONLY presents a TTLS-like connection interface (username and password, instead of certificate and identity). They simply sit there all happy and useless. (BTW, manual cert install is now an 8 page document in my library, including download, allow,accept, enable Cert Trust Settings, install, validate and....then watch do nothing.) Since the ipad does not present a tls transaction, FR3 doesn't participate. I am not using EAP-TTLS, so that module does exactly what is it supposed to do - find no verified username and reject.
>
> I've used my google-fu to get the basic idea of modifying the openssl commands to include the EKU, and sha2, but some of the other requirements I'm not sure about implementing. The "no longer than 2 years" is also a PITA. Either way, has anyone worked out a magic bullet for this yet? Amazingly, M$ is no longer on my hated list - the Win10 machines are now in the "it simply works" category! Longing to learn from the masters, yet again!

  The scripts in raddb/certs/ *should* work.  You don't need any OpenSSL magic.  They already have the EKU.  They're already set to use SHA256, which is fine.

  The only additional magic which is necessary is the subjectAltName stuff.  That's easy enough to do.  I've pushed fixes to v3.0.x:

https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x

  Please download that and try the certificate scripts in raddb/certs/

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS and IOS 13

Gregory Sloop
In reply to this post by thyde_rsi
[Replying direct, so as not to clutter the list/thread.]

Ted - I'm probably hours to a day or two from trying to setup the same on a fleet of iPads.

Given the back-and-forth, I'm not at all clear what the "solution" is.
I'd be eternally grateful if you'd post a summary of the issues, especially once you fix them, to the list. :)

It doesn't sound like we really understand all the issues with certs
[2 years lifetime limit, really? - My certs generally have 10y lifetimes! I don't want to push new certs to all the ipads in two years!] - but again, as it becomes clear, it would be a super big help to me. [I'm certainly fluent on istuff - but it's often weird and hard to figure out how to make it work on both Windows and iOS/MacOS - at least without generating certs/keys in formats specially for Apple stuff. [p12's for example]

[I use GNUTLS for CA/cert/key generation - so I'll have to find a way to do it there, or use openssl - we'll see.]

Anyway - Thanks in advance!

-Greg

THR> I love *pple. And by love I mean exactly the opposite.....Regardless, my
THR> many thanks to all that assisted with my tribulations and blatherings
THR> regarding getting ipads and Win10 machines working with an EAP-TLS
THR> environment. As of this morning I had everything migrated, wiped,
THR> re-tested, full bare-metal automation tested and ready to deploy to the
THR> minions. I had a very happy moment.

THR> Until someone walked in with an ipad that they just upgraded to IOS 13.

THR> tl/dr: IOS13 introduces more stringent compliance for certificates
THR> (https://support.apple.com/en-us/HT210176) and that means certificates
THR> that used to work for EAP, now do not install - well that's not true.
THR> They install, they say they're verified, but the ipad does not recognize
THR> them as useful, and ONLY presents a TTLS-like connection interface
THR> (username and password, instead of certificate and identity). They
THR> simply sit there all happy and useless. (BTW, manual cert install is now
THR> an 8 page document in my library, including download, allow,accept,
THR> enable Cert Trust Settings, install, validate and....then watch do
THR> nothing.) Since the ipad does not present a tls transaction, FR3 doesn't
THR> participate. I am not using EAP-TTLS, so that module does exactly what
THR> is it supposed to do - find no verified username and reject.

THR> I've used my google-fu to get the basic idea of modifying the openssl
THR> commands to include the EKU, and sha2, but some of the other
THR> requirements I'm not sure about implementing. The "no longer than 2
THR> years" is also a PITA. Either way, has anyone worked out a magic bullet
THR> for this yet? Amazingly, M$ is no longer on my hated list - the Win10
THR> machines are now in the "it simply works" category! Longing to learn
THR> from the masters, yet again!

THR> Thanks,

THR> Ted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html