Attached screen shot of the warning a Admin would see when they try to save apply to devices an EAP-TLS wifi configuration in the admin console.

Warning says: Current Wi-Fi selection cannot be applied to "by device" option. You need to change the Wi-Fi selection or change this option by user"

Deleted: EAp-TLS-DeviceWifi_warrning.png 73.5 KB

	EAp-TLS-DeviceWifi_warrning.png 73.5 KB View Download

Assigned to dskaram for triage.

Assigning to the owner.

This work will support device-wide EAP-TLS for both WiFi and Ethernet in Kiosk, Public Sessions, and Login Screen. 

 Issue 657569  has been merged into this issue.

Is this feature still targeting M-59?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93bc5d7c02d275d27c030ab15a8c68efc8efdd99

commit 93bc5d7c02d275d27c030ab15a8c68efc8efdd99
Author: pmarko <pmarko@chromium.org>
Date: Thu Apr 27 10:58:28 2017

Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which
  can be checked to see if the client cert pattern originates from
  device policy.

BUG= 655266 
TEST=unit_tests && chromeos_unittests
Manual test scenario:
--
Prerequisites:
Install a certificate (subject common name e.g.: “cert_user”)
into the user token and a different certificate (subject common
name e.g.: “cert_system”) into the system token.
Have a EAP-TLS wifi network connected to a radius server which
would accept both client certificates.
--
Test Case 1: device policy ONC / user token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device does not try to auto-connect to the
wifi network because the ClientCertPattern originating from device
policy does not match user certificates.
--
Test Case 2: device policy ONC / system token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network
because the ClientCertPattern originating from device policy
matches certificates present on the system token. It authenticates
with cert_system.
--
Test Case 3: user policy ONC / user token certificate
Configure a user policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_user.
--
Test Case 4: user policy ONC / system token certificate
Configure a user OpenNetworkPolicy to connect to the EAP-TLS network
with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_system.

Review-Url: https://codereview.chromium.org/2828713002
Cr-Commit-Position: refs/heads/master@{#467634}

[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/ash/system/network/network_list.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chrome/browser/chromeos/enrollment_dialog_view.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/cert_loader.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/cert_loader.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/cert_loader_unittest.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/auto_connect_handler.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/client_cert_resolver.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/client_cert_resolver_unittest.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/client_cert_util.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/client_cert_util.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/managed_network_configuration_handler.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/managed_network_configuration_handler_impl.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/managed_network_configuration_handler_impl.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/mock_managed_network_configuration_handler.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/network_cert_migrator.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/network_cert_migrator_unittest.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/network_connection_handler.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/network_connection_handler_unittest.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/onc/onc_validator.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/onc/onc_validator.h
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/network/onc/onc_validator_unittest.cc
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/chromeos/test/data/network/invalid_settings_with_repairs.json
[modify] https://crrev.com/93bc5d7c02d275d27c030ab15a8c68efc8efdd99/components/sync_wifi/wifi_config_delegate_chromeos_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f149a05d31ad319ef6b620911b74e390dbee354

commit 2f149a05d31ad319ef6b620911b74e390dbee354
Author: pmarko <pmarko@chromium.org>
Date: Fri May 12 12:21:45 2017

Enable device-wide EAP-TLS networks

Enable device-wide EAP-TLS networks by loading the system TPM slot
on chrome start-up and using it as an additional source of client
certificates for CertLoader.
CertLoader supports working with only one database (e.g. only system
token) or both databases (system and user token).
If CertLoader works with both databases, it also supports the special case that the user's database allows access to the system token (e.g. for affiliated users) and prevents duplicate certificates in its output.

BUG= 655266 

Review-Url: https://codereview.chromium.org/2858113003
Cr-Commit-Position: refs/heads/master@{#471280}

[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chrome/browser/chromeos/chrome_browser_main_chromeos.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chrome/browser/chromeos/chrome_browser_main_chromeos.h
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chrome/browser/chromeos/login/session/user_session_manager.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chrome/browser/chromeos/options/cert_library.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/cert_loader.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/cert_loader.h
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/cert_loader_unittest.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/auto_connect_handler_unittest.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/client_cert_resolver.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/client_cert_resolver_unittest.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/network_cert_migrator.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/network_cert_migrator_unittest.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/network_connection_handler_impl.cc
[modify] https://crrev.com/2f149a05d31ad319ef6b620911b74e390dbee354/chromeos/network/network_connection_handler_impl_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5268d0272446b745d2d7299a73c133d63e08a6b5

commit 5268d0272446b745d2d7299a73c133d63e08a6b5
Author: pmarko <pmarko@chromium.org>
Date: Thu May 18 13:15:57 2017

Leave client certificate combobox empty if managed certficate not found

If the client certificate is managed by ONC user or device policy, and
the policy-specified certifcate (e.g. in a certificate pattern) is not
found, the combobox displaying the selected certificate should be empty.
Before this change, the first certificte was displayed instead. This was
misleading, because the first certificate is not the policy-set
certificate, and it is not possible to connect to the network in this
state.
Note that the user can't change the certificate in this case (because
it's managed by policy).

BUG= 655266 
TEST=Manual test

Review-Url: https://codereview.chromium.org/2887993003
Cr-Commit-Position: refs/heads/master@{#472787}

[modify] https://crrev.com/5268d0272446b745d2d7299a73c133d63e08a6b5/chrome/browser/chromeos/options/wifi_config_view.cc
[modify] https://crrev.com/5268d0272446b745d2d7299a73c133d63e08a6b5/chrome/browser/chromeos/options/wifi_config_view.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8

commit 4cc64c6cdb93dcded1e43a51792a2bf7f89714d8
Author: pmarko <pmarko@chromium.org>
Date: Thu May 18 13:28:22 2017

Don't reject server and CA certs during device ONC validation

Server and CA certs are not rejected during device ONC validation
anymore. They are still not imported into the NSS database because:
- no OncCertificateImporter instance exists for device policy
- OncCertificateImporter has an additional check to prevent importing
  server or ca certs from device policy.
Still, these certs should pass ONC validation so they can be used to
verify the radius server certificate when connecting to EAP-TLS networks on the sign-in screen.

Detail: http://go/chromeos-devicewide-eaptls-radiuscert

BUG= 655266 
TEST=Manual test, chromeos_unittests --gtest_filter=ONCValidatorTest*

Review-Url: https://codereview.chromium.org/2859123003
Cr-Commit-Position: refs/heads/master@{#472790}

[modify] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/network/onc/onc_certificate_importer_impl.cc
[modify] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/network/onc/onc_certificate_importer_impl.h
[modify] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/network/onc/onc_validator.cc
[modify] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/network/onc/onc_validator_unittest.cc
[modify] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/test/data/network/invalid_settings_with_repairs.json
[add] https://crrev.com/4cc64c6cdb93dcded1e43a51792a2bf7f89714d8/chromeos/test/data/network/managed_toplevel_with_server_and_ca_cert.onc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fc674bec51cf121f34d241830b037315f74a7f18

commit fc674bec51cf121f34d241830b037315f74a7f18
Author: Pavol Marko <pmarko@chromium.org>
Date: Tue May 23 16:42:28 2017

Skip loading system token on startup if TPM is not ready

If the TPM is not ready, don't try to load the system token. It would
fail anyway and prevent the TPM initialization process from running on
user sign-in (because TPMTokenLoader only performs the initialization
process once). Also, delay system token initialization until cryptohome
is ready.

BUG= 725346 , 655266 
TEST=Manual test on Chrome OS:
(1) On a freshly resetted device (not enrolled, not owned), the system
    token is simply not loaded on the sign-in screen
(2) On an enrolled device, the system token is loaded on the sign-in
    screen. Device-wide EAP-TLS networks can connect.
In both cases, there should be no errors related to TPM init in
  /var/log/chrome/chrome.

Change-Id: If810287747f05361ffa3a0a06fe9f2c8988ea676
Reviewed-on: https://chromium-review.googlesource.com/512662
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#473937}
[modify] https://crrev.com/fc674bec51cf121f34d241830b037315f74a7f18/chrome/browser/chromeos/chrome_browser_main_chromeos.cc
[modify] https://crrev.com/fc674bec51cf121f34d241830b037315f74a7f18/chrome/browser/chromeos/login/session/user_session_manager.cc
[modify] https://crrev.com/fc674bec51cf121f34d241830b037315f74a7f18/chromeos/cert_loader.h

Tested in M61.0.3132.0:9656.0.0 dev reks with device policy on YAPS:
1. Client certificate pattern matching client_cert_system:
   a. Auto-connect successfully.
   b. Manual connect successfully.
2. Client certificate pattern NOT matching client_cert_system:
   a. Auto-connect did not happen.
   b. Manual connect - prompted for valid certificate.
3. With auto-connect, changed network, and the EAP-TLS network automatically switched back shortly.
4. Tested 1-3 on public sessions with the same behaviors.

jingwee@, can you please also test the kiosk mode?

sduraisamy@ I tried to test in Kiosk mode in M60.0.3112.34:9592.22 beta peppy and M61.0.3132.0:9656.0.0 dev pit with YAPS. Somehow, the kiosk apps could not be downloaded thus would not launch, and ended up in the normal sign-in screen. Nevertheless, the network automatically connected to was the EAP-TLS network. I manually changed the network connection to another and it automatically reconnected to the EAP-TLS network shortly.

+ Krishna

jingwee@, are the kiosk apps downloading if we remove the EAP-TLS setting? Can you ping the app-id that you tried?

sduraisamy@ The following is the kiosk app configs I tried. These works fine in a non-YAPS configuration. No difference when I removed the entire ONC setting in YAPS - apps still could not be downloaded. My guess is maybe due to permission or something in YAPS configurations.  Krishna is looking into this.

{
   "id": "jgekjjofdjaablciahecjmlodmjpdmci",
   "kiosk_app_id": "jgekjjofdjaablciahecjmlodmjpdmci",
   "kiosk_app_update_url": "https://client2.google.com/service/update2/crx",
   "type": 1
}
,{
   "id": "bkledbfligfdnfkmccllbllealecompm",
   "kiosk_app_id": "bkledbfligfdnfkmccllbllealecompm",
   "kiosk_app_update_url": "https://client2.google.com/service/update2/crx",
   "type": 1
}
,{
   "id": "cgpppfbmlkiajbldalahojmaibgicope",
   "kiosk_app_id": "cgpppfbmlkiajbldalahojmaibgicope",
   "kiosk_app_update_url": "https://client2.google.com/service/update2/crx",
   "type": 1
}
,{
   "id": "ilnpadgckeacioehlommkaafedibdeob",
   "kiosk_app_id": "ilnpadgckeacioehlommkaafedibdeob",
   "kiosk_app_update_url": "https://client2.google.com/service/update2/crx",
   "type": 1
}
,{
   "id": "lhomibkaedgohldjinnmpljlaibjplnc",
   "kiosk_app_id": "lhomibkaedgohldjinnmpljlaibjplnc",
   "kiosk_app_update_url": "https://client2.google.com/service/update2/crx",
   "type": 1
}

With Krishna's help, I verified EAP-TLS network works fine for Kiosk mode. The issue I encountered earlier was due to my YAPS environment (no issue in Krishna's YAPS environment) and has nothing to do with EAP-TLS network.

as per #25

Hi,

I am still seeing the initial error when trying to configure device wide TLS in our admin portal.

How do I get my hands on this fix?

Thanks,

T.