EAP-TLS - Initial setup
First time setup on EAP-TLS page
This guide tells you the one time set up for Foxpass in order to use MDM's like Apple configurator, JAMF etc. Make sure you have our Advanced RADIUS add-on enabled for your account.
Download Client CA
- Go to the Foxpass EAP-TLS page. Click on Create new CA button under 'Client Certificate Authorities'.
Click Create new Client CA
- Edit CA name, CA validity and Certificate Validity Period if desired.
- Click 'Create CA' button.
Create CA
Click Ok
Click on 'Download CA' button. The CA can be used later in setting configuration files for MDM.
Download Server CA
Click on Create new Server CA under 'Server Certificate Authorities'. You will see a dialog box saying that 'Server Certificate Authority has been successfully created.'
Server CA created
Now click on 'Create certificate' and then 'Set as Active'.
Server CA marked as active
Click on 'Download CA' button. The CA can be used later in setting configuration files for MDM.
Configure SCEP Endpoint
You can create a SCEP endpoint with Verification Type as User or Device or None depending on your requirement. For MDM's like Apple configurator, JAMF etc you will need to configure Authentication Type as 'Challenge Password' and for Azure authentication type as 'Azure'.
User certificate and Authentication Type : Challenge Password
- Go to the SCEP page on Foxpass.
- Click 'Create SCEP endpoint' button.
- Name - < Your choice>
- Verification Type: User
- Authentication Type: Challenge Password
- Client Certificate Authority: Select the client CA created earlier.
SCEP endpoint - User certificate and challenge password
Device certificate and Authentication Type : Challenge Password
SCEP endpoint - Device certificate and challenge password
Choose 'None' if you don't want to verify whether it is device or a user certificate.
Once created, note the unique endpoint and challenge password. You will need it while configuring MDM's.
Note SCEP URL and Challenge password from the SCEP page
User certificate and Authentication Type : Azure
- Name - Give a name to your endpoint.
- Verification type - User
- Authentication type = 'Azure'
- Azure Tenant ID - Paste the Tenant ID copied from Azure.
- Azure Client ID - Paste the Client ID copied from Azure
- Azure app client secret - Paste the secret copied from Azure
- Click 'Create' button.
Device certificate and Authentication Type : Azure
In your SCEP enrollment / MDM tool, you will need a SCEP URL and Challenge password. Go to the Foxpass Console's SCEP page to copy the unique SCEP endpoint and Challenge password for your account and use this information in your SCEP enrollment / MDM tool to generate the client CSR requests.
Any CSR requests without the valid Challenge password will be rejected. For all successful requests, a new client certificate will be generated and pushed to your Device and also made available in the Foxpass Console's EAP-TLS for record purposes.
Certificate listing and revocation
The Foxpass Console's EAP-TLS lists all your issued certificates along with their serial, information, status, issue, and expiry date. You can revoke a certificate by selecting a valid reason. Make sure you send 'TLS-Client-Cert-Serial' in all your RADIUS requests so that any revoked certificates with the accompanied Cert serial are invalidated.
Client certificates
Please see the section to your left for various MDM's documentations.
Updated about 15 hours ago