EAP-TTLS is simply an EAP method. What credential and subject type you use is up to your configuration and policy.
RE: EMMs (speaking generically), yes many need to have additional config options exposed for Passpoint parameters but you don't need client certificates for Passpoint. If no customers ask for a capability, it likely will not be implemented in any product. It won't be an overnight flip of the switch to eliminate your existing 802.1X SSID so those EMM managed devices can continue as they normally would. Visitors with credentials from another IdP can seamlessly connect in the meantime. It's a marathon, not a sprint. Unfortunately there's been so much negativity around Passpoint over the years that not many people have engaged with vendors on it. Just my opinion. Outside of the eduroam advisory council and historical interest in the technology, I really have no other vested interest in the topic. Tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au> Sent: Monday, July 20, 2020, 23:11 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further... On 21/7/20 11:04 am, Tim Cappalli wrote: > Both major Wi-Fi vendors have Passpoint offerings that are either > available or in preview. I'm talking about the client side. Intune doesn't even have a CA either (no the short-lived one for conditional access doesn't count). Where's the Microsoft supported agent that does device-specific TTLS-PAP like you suggest? Also https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fpitfalls-of-eap-ttls-pap%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ca83f24666b4f421d719408d82d23afd8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308978591817681&sdata=AsFb0%2BDplHGzVWHxo6qWKqw9XYJuH5Md3YhdYEpQFzY%3D&reserved=0 is the top google result for [TTLS-PAP], admittedly it's about user credentials not device credentials but it's still a risk. -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ca83f24666b4f421d719408d82d23afd8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637308978591817681&sdata=SMZUP69xXENTzXPmKbytbI%2FMYBuP3Hwk4jsSDy9D1rA%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community