Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- Subject: Re: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
- From: "Miller, Timothy J." <email@hidden>
- Date: Mon, 14 Jan 2013 16:27:46 +0000
- Thread-topic: [Fed-Talk] EAP-TLS Authentication with CAC on iPad or iPhone
Apple's mobile device management (MDM) protocol is a key enrollment
ceremony; after user authentication to the MDM, device enrollment actually
results in a device key and device cert issued to it. While it's
theoretically possible at the MDM side to enable PKI based user
authentication, at the device side you need a client that supports the
CAC. AFAIK, this requires iOS extensions, which would have to come from
Apple. It's unclear to me if a third-party MDM client would work in a
smart card context.
In addition, the specifics of Apple's MDM protocol actually use Simple
Certificate Enrollment Protocol (SCEP) for the actual certificate
request/retrieval. The DoD PKI does not support SCEP, so even if you
could conquer user authN in device enrollment, you still can't finish the
process.
-- T
On 1/11/13 2:44 PM, "Matt Stier" <email@hidden> wrote:
>Afternoon Folks,
>
>
>I will soon be working with a DoD customer that wants to "get iPads on
>the network." To me there are two primary hurdles and they are using
>FIPS 140-2 validated crypto for WPA2-Enterprise (thankfully Apple is back
>on the FIPS in process list) and second
> is the ability to use certificate based authentication (EAP-TLS).
>Unfortunately, standing up a CA like many of the commercial folks do is a
>no go for us so we need to use the certs on our CAC.
>
>
>Does anyone out there know of any agencies that have accomplished the
>ability to associate a CAC with a network authentication profile? If so,
>I would be very appreciative if you or they could share some information
>to help save the tax payers some money!
>
>
>
>Feel free to contact me privately if you like.
>
>
>
>-Matt
>
>Matt Stier, CISSP/CWNA/ACMA
>SPAWAR, Atlantic
>Phone: 843.321.WLAN (9526) | Fax 843.218.6605
>Email: email@hidden
>
>
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden