> As a goal, we need to migrate to more use of EAP-TLS in home environments. I discovered recently that you can't provision a client cert for EAP-TLS onto a Chromebook using the Google MDM. Instead, you configure the MDM with information that enables the Chromebook to obtain one using SCEP from an Enterprise CA. But the user needs to log into the Chromebook to obtain the certificate over SCEP and, of course, the user can't log in without network access. The "solution" is to stand-up an onboarding SSID can reach Google and the SCEP endpoint.
(The organisation decided to provision the devices with EAP-PEAP/MSCHAPv2 and a shared AD account instead, using RADIUS and Google logs to correlate users to Chromebooks) I'm not bashing EAP-TLS but highlighting that an apparently trivial configuration can involve a disproportionate amount of infrastructure and complexity... Josh _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu