Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?
Arran Cudbard-Bell
a.cudbard-bell at sussex.ac.uk
Sat Jun 27 10:44:39 CEST 2009
Alan DeKok wrote:
> Aaron Mahler wrote:
>
>> It is issued by GoDaddy and does trace back to a valid root cert that
>> I've found exists by default on my OS X systems.
>>
>
> This isn't a good idea for RADIUS systems. It means that the 802.1X
> clients will happily hand their credentials to *anyone* who has a root
> signed certificate.
>
> For RADIUS and EAP, you should use self-signed certificates.
>
>
>> When handed to clients via Radius for 802.1x authentication, though,
>> it's declared as untrusted during the sign-on process.
>>
>
> That's a Mac thing...
>
Mac OSX doesn't trust any Root CAs by default, even if they're
preinstalled on the machine.
> [snip]
>> We'll be serving a large enough user base here that the certificate
>> trust warnings are going to be a HUGE support headache. I need it to be
>> seamless for the end user.
>>
>
>
It's not really that hard... But if you really think you're going to
have a problem, check out one of the dissolvable autoconfiguration
clients like cloudpath.
Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090627/67aa45d4/attachment.pgp>
More information about the Freeradius-Users
mailing list