FreeRADIUS - Local CA and Cert for EAP-TLS, but Trusted CA and Cert for EAP-PEAP
-
I have FreeRADIUS working pretty well on my network. I use pfSense as my CA, and I let pfSense generate certificates for each of my users. I then take that CA and cert, and create profiles for the Apple devices on our network for use with EAP-TLS and all is good.
However, I have a Peloton Bike which uses an Android tablet running Android 9. I can not install certificates on this device, and therefor I have to configure it to use EAP-TTLS or EAP-PEAP.
In configuring the device to connect to WiFi, it has these options for the CA Certificate:
- Use system certificates
- Do not validate
In my case, I need to choose
Do not validateto get it to connect. If I chooseUse system certificates, it fails to connect since my personal CA isn't in Androids trust store.This is... fine... but in an ideal world I could chose to
Use system certificates, input my domain name, and have it connect securely that way. Although I run the Acme package and have valid Let's Encrypt certificates, I wouldn't want to switch to using those, since anyone with a valid Let's Encrypt cert could then authenticate using EAP-TLS.I also worry (not an issue today, but could be in the future) that no device running Android 11 or above will be able to auth with my network, since Google removed the ability to select
Do not validatewhen it comes to the CA.My understanding is that FreeRADIUS 3 supports different CA's depending on the different EAP's, but I don't see that as an option in the GUI.
Is this a feature enhancement I could add to FreeRADIUS Redmine page? Or am I going about this the wrong way and there's something I could do better on my network?