I'm currently in process of testing EAP-TLS before deploying it in production. My test setup consists of:
- Supplicants: Android 6, Debian Buster with WICD-GTK.
- Authenticator: Mikrotik RouterOS 6.43 (actually it is passing through EAP frames to FreeRADIUS)
- Authentication server: FreeRADIUS 3.0.12
It is known that the CN field in an x509 user certificate can be used as a user identity. I supposed that with EAP-TLS we must not use username/password pair anymore. But in the case of Android or WICD I have to manually specify a username (Identity) in the client's Wi-Fi settings (Android, WICD) to be successfully authenticated. Furthermore, in the WICD-GTK GUI the Identity field can't be empty. Android does allow that field to be empty, but authentication is not working in such a case. In fact, in the Identity field I have to input the very same value as CN is. I heard that Apple iOS uses the CN value if Identity field is empty, but I've no Apple device for confirmation.
Is it normal behavior to require manual specification of a user's identity for EAP-TLS Wi-Fi settings, regardless of the CN value - or it is a poor EAP-TLS implementation in those clients?
