EAP Wifi auth with Android and iOS



  • Maybe someone here can help me out with this. My school has three separate WLANs, one being semi-public (e.g. for BYOD pupils' devices), one targetted at our infrastructure (like, computers in labs, my Surfaces owned by the school and other devices which fulfill roles at school while not being super-important) and the last one for administrative stuff (which is super-locked down as a result).

    Now, the first WLAN has the "problem" (at least for my purposes) that all devices are isolated and "can't see" each other, i.e. even if you know the IP address, you cannot ping anything.

    The second one doesn't have that restriction but is locked down through EAP. I've got official blessing (and had to swear that I will not bring down the network) to bring some of my devices into that network, though, in order to extend some capabilities.

    For example, I can use my own phone as a streaming cam to project a livestream onto a browser window on another PC - I could then do a screenshot through another software and distribute that screenshot easily to my pupils' clients (trust me, it's easier and faster than taking an ordinary picture and then distribute the file itself).

    Only works if my phone and the PC in question are able to directly connect to each other.

    I've got: A .cer cert file, a username and a password. Using Windows, that's easy: Import the cert (simple doubleclick), connect to the Wifi, enter user and password and you're done.

    For Android, I first had to find how to actually import the file (managed that one, though). But when I tried to connect to the WLAN in question, I got a bunch of options I didn't have in Windows. Like, stuff for a "2nd stage", a domain and honestly a bunch of stuff I don't know about.

    Then there's iOS. Not sure how to even import the cert file there - it seems to expect a completely different file format.

    Anyone got experience with that? I mean, I could ask our IT guys - but since they're strictly Windows guys and are also at school only once a week (and usually have more pressing matters at hand), I thought I'd give this here a try.
    My web searches weren't too successful, I'm not sure if I'm searching for the wrong stuff or if my ideas are so outlandish that noone else did this before...


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    Like, stuff for a "2nd stage", a domain and honestly a bunch of stuff I don't know about.

    2nd stage (by default) is "none", I believe.
    The domain will be the login domain used on your Windows PC, it'll be the thing before the \ in your username. (For example, if your login is NTDOMAIN\rhywden, the domain is NTDOMAIN).



  • @sloosecannon said in EAP Wifi auth with Android and iOS:

    @rhywden said in EAP Wifi auth with Android and iOS:

    Like, stuff for a "2nd stage", a domain and honestly a bunch of stuff I don't know about.

    2nd stage (by default) is "none", I believe.
    The domain will be the login domain used on your Windows PC, it'll be the thing before the \ in your username. (For example, if your login is NTDOMAIN\rhywden, the domain is NTDOMAIN).

    Yeah, the weird thing is that the PC I'm using isn't joined to any domain. That's what makes it so confusing.


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    @sloosecannon said in EAP Wifi auth with Android and iOS:

    @rhywden said in EAP Wifi auth with Android and iOS:

    Like, stuff for a "2nd stage", a domain and honestly a bunch of stuff I don't know about.

    2nd stage (by default) is "none", I believe.
    The domain will be the login domain used on your Windows PC, it'll be the thing before the \ in your username. (For example, if your login is NTDOMAIN\rhywden, the domain is NTDOMAIN).

    Yeah, the weird thing is that the PC I'm using isn't joined to any domain.

    Oh. Huh.

    Well....

    Try leaving it blank? 🤷♂



  • @sloosecannon I did that :)


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    @sloosecannon I did that :)

    Yeah, IIRC it can guess the domain too, so that's an "optional" thing



  • @sloosecannon Okay, at least I found out how to install the .cer file on iOS. It's easy. Simply send it as an Email and open it via Mail or download it from somewhere using Safari. Putting it into local storage by some other means is not supported.

    :wtf:


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    @sloosecannon Okay, at least I found out how to install the .cer file on iOS. It's easy. Simply send it as an Email and open it via Mail or download it from somewhere using Safari. Putting it into local storage by some other means is not supported.

    :wtf:

    You've got to do it the Apple way. If you're getting the file any way other than via email or Safari, you're :doing_it_wrong:



  • @sloosecannon I'll have a look again tomorrow on what iOS will yield. And try to browbeat Android into submission.

    It doesn't help, though, that length of username and password combined is 30 characters...


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    It doesn't help, though, that length of username and password combined is 30 characters...

    Oh that must be fun to type on a mobile keyboard



  • @sloosecannon I think I have a Bluetooth one lying around somewhere...



  • And, in a surprise twist, installing the cert file on iOS was the hardest step. After that it did the same thing Windows does: Ask for a username and a password, nothing else.

    So, for this particularly scenario, Windows is easiest to use, then iOS, with Android still not working whatever I do. Geeze.


  • :belt_onion:

    @rhywden said in EAP Wifi auth with Android and iOS:

    For Android, I first had to find how to actually import the file (managed that one, though). But when I tried to connect to the WLAN in question, I got a bunch of options I didn't have in Windows. Like, stuff for a "2nd stage", a domain and honestly a bunch of stuff I don't know about.

    The only things you should have to change are possibly EAP method (if you're using a client certificate, I think this should be TLS? That's what it is on my network), CA certificate (This may be optional as it is in other operating systems like Windows, but I set it to the CA that issued the network's server certificate so my phone won't be fooled by a spoofed network), your user certificate (that's what you imported, if you don't see it make SURE you imported the certificate for Wi-Fi and not for "VPN/apps"), and Identity (<username>@<domain>). The domain part can be confusing; you say the PC you're using isn't joined to any domain, but by definition with WPA2-Enterprise you're using some sort of domain identity to authenticate to the network, you're just not authenticating to your local device. You may be able to pull this (it's called UPN name) from the Subject Alternative Name extension on the certificate you're using. Note that it is case-sensitive.


  • Notification Spam Recipient

    I once connected to a network that required MSCHAPV2 authentication for Phase2, can't take a screenshot because I'm nowhere near that network and Android doesn't seem to let you edit saved wifi networks you're not nearby (except to delete them of course).

    Hmm, I might toy around with this later...


Log in to reply