Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS - Local CA and Cert for EAP-TLS, but Trusted CA and Cert for EAP-PEAP

    Scheduled Pinned Locked Moved
    pfSense Packages
    1
    1
    707
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OffstageRoller
      last edited by

      I have FreeRADIUS working pretty well on my network. I use pfSense as my CA, and I let pfSense generate certificates for each of my users. I then take that CA and cert, and create profiles for the Apple devices on our network for use with EAP-TLS and all is good.

      However, I have a Peloton Bike which uses an Android tablet running Android 9. I can not install certificates on this device, and therefor I have to configure it to use EAP-TTLS or EAP-PEAP.

      In configuring the device to connect to WiFi, it has these options for the CA Certificate:

      • Use system certificates
      • Do not validate

      In my case, I need to choose Do not validate to get it to connect. If I choose Use system certificates, it fails to connect since my personal CA isn't in Androids trust store.

      This is... fine... but in an ideal world I could chose to Use system certificates, input my domain name, and have it connect securely that way. Although I run the Acme package and have valid Let's Encrypt certificates, I wouldn't want to switch to using those, since anyone with a valid Let's Encrypt cert could then authenticate using EAP-TLS.

      I also worry (not an issue today, but could be in the future) that no device running Android 11 or above will be able to auth with my network, since Google removed the ability to select Do not validate when it comes to the CA.

      My understanding is that FreeRADIUS 3 supports different CA's depending on the different EAP's, but I don't see that as an option in the GUI.

      Is this a feature enhancement I could add to FreeRADIUS Redmine page? Or am I going about this the wrong way and there's something I could do better on my network?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post