EAP-TLS
First time setup on EAP-TLS page
Device enrollment / Client certificate generation
Make sure you have our Advanced RADIUS add-on enabled for your account. Put the RADIUS server certificate on the Device (as a trusted certificate in the root folder) you want to enroll and to be able to talk to our RADIUS servers. This generally gets pushed by your SCEP enrollment / MDM tool such as Apple configurator, Intune, JAMF etc.
Create Client CA
Click on Create CA button under 'Client Certificate Authorities'. You will see a dialog box saying that 'Client Certificate Authority has been successfully created.'
Create Server CA
Click on Create Server CA under 'Server Certificate Authorities'. You will see a dialog box saying that 'Server Certificate Authority has been successfully created.'
Now click on 'Create certificate' and then 'Set as Active'.
You can download the CA certificate from the EAP-TLS and use it in your SCEP enrollment / MDM tool to generate your CSR requests. Also put this CA certificate on the Device (as a trusted certificate in the root folder) you want to enroll. This also generally gets pushed by your MDM tool.
In your SCEP enrollment / MDM tool, you will need a SCEP URL and Challenge password. Go to the Foxpass Console's SCEP page to copy the unique SCEP endpoint and Challenge password for your account and use this information in your SCEP enrollment / MDM tool to generate the client CSR requests.
Any CSR requests without the valid Challenge password will be rejected. For all successful requests, a new client certificate will be generated and pushed to your Device and also made available in the Foxpass Console's EAP-TLS for record purposes.
Certificate listing and revocation
The Foxpass Console's EAP-TLS lists all your issued certificates along with their serial, information, status, issue, and expiry date. You can revoke a certificate by selecting a valid reason. Make sure you send 'TLS-Client-Cert-Serial' in all your RADIUS requests so that any revoked certificates with the accompanied Cert serial are invalidated.
Please see the section to your left for various MDM's documentations.
Updated 5 months ago