In my last post I explained how to deploy the necessary infrastructure in order to connect macs to a 802.1x TLS protected network. In that post I´ll explain how to connect an Android or iPhone. The first thing you need is to add the device object in Active Directory and create certificate with the same characteristics as the one for the mac. Make sure you add "host/" at the beginning of the CN field preceding the name of the device as added in Active Directory.
Once you have the PKCS12 containers (.pfx file) with the device certificate, the key and the related certificates chains import it to the device and configure the WLAN interface as follows:
For Android, the first think you have to do is enable the credentials store. Go to "Settings", "Location and Security", and set password. Put the PKCS12 file in the root of the SD Card and come back to the security menu. Click on "Install from SD Card" and choose the appropriate file. You´ll be promoted to install the certificate, key and Root CAs. Once installed you can try to connect to the 802.1x TLS protected WLAN. Connect to the 802.1x TLS protected WLAN. As the network will request TLS authentication, the Android would request you to unblock your credentials storage. Enter the password and click Accept. In the configuration screen add the following parameters:
- EAP_ TLS
- No second phase authentication
- Choose the CA certificate (you should have only one)
- Choose the user certificate (you should have only one)
- In the identity entry add the same you added in the CN of the certificate. It should be something like: "host/machine-name"
I have successfully tested it with Android 2.1. The draw back is that you most probably will require a proxy to access the Internet and that can´t be configured in Android (unless you use a Cyanogen build)
iPhone 3, iPhone 4 and iPad:
Send the PKCS12 file by email and open it from the mail application. Follow the same instructions as the ones to connect an Android device to the WLAN. Remember to manually add the CN as the Identity with the "host/" at the beginning.
Maybe Skip SHA-3
3 weeks ago