EAP-TLS

First time setup on EAP-TLS page

Device enrollment / Client certificate generation

Make sure you have our Advanced RADIUS add-on enabled for your account. Put the RADIUS server certificate on the Device (as a trusted certificate in the root folder) you want to enroll and to be able to talk to our RADIUS servers. This generally gets pushed by your SCEP enrollment / MDM tool such as Apple configurator, Intune, JAMF etc.

Create Client CA

Click on Create CA button under 'Client Certificate Authorities'. You will see a dialog box saying that 'Client Certificate Authority has been successfully created.'

Client CA created

Client CA created

Create Server CA

Click on Create Server CA under 'Server Certificate Authorities'. You will see a dialog box saying that 'Server Certificate Authority has been successfully created.'

Server CA created

Server CA created

Now click on 'Create certificate' and then 'Set as Active'.

Server CA marked as active

Server CA marked as active

You can download the CA certificate from the EAP-TLS and use it in your SCEP enrollment / MDM tool to generate your CSR requests. Also put this CA certificate on the Device (as a trusted certificate in the root folder) you want to enroll. This also generally gets pushed by your MDM tool.

In your SCEP enrollment / MDM tool, you will need a SCEP URL and Challenge password. Go to the Foxpass Console's SCEP page to copy the unique SCEP endpoint and Challenge password for your account and use this information in your SCEP enrollment / MDM tool to generate the client CSR requests.

SCEP URL and Challenge password on the SCEP page

SCEP URL and Challenge password on the SCEP page

Any CSR requests without the valid Challenge password will be rejected. For all successful requests, a new client certificate will be generated and pushed to your Device and also made available in the Foxpass Console's EAP-TLS for record purposes.

Certificate listing and revocation

The Foxpass Console's EAP-TLS lists all your issued certificates along with their serial, information, status, issue, and expiry date. You can revoke a certificate by selecting a valid reason. Make sure you send 'TLS-Client-Cert-Serial' in all your RADIUS requests so that any revoked certificates with the accompanied Cert serial are invalidated.

Client certificates

Client certificates

Please see the section to your left for various MDM's documentations.