On Oct 25, 2023, at 1:52 PM, josh.howl...@gmail.com wrote: > I discovered recently that you can't provision a client cert for EAP-TLS onto > a Chromebook using the Google MDM. Instead, you configure the MDM with > information that enables the Chromebook to obtain one using SCEP from an > Enterprise CA. But the user needs to log into the Chromebook to obtain the > certificate over SCEP and, of course, the user can't log in without network > access. The "solution" is to stand-up an onboarding SSID can reach Google and > the SCEP endpoint.
If you can do an onboarding SSID, there are many simpler things which can be done, too. e.g. downloading configuration files from a captive portal. > (The organisation decided to provision the devices with EAP-PEAP/MSCHAPv2 and > a shared AD account instead, using RADIUS and Google logs to correlate users > to Chromebooks) Oh my. I can't publicly say what I would like, so I will leave it at that. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu