Configuring PEAP

Thu Sep 24 02:24:44 CEST 2015

Hello, all. I'm setting up freeradius-2.1.12-6.el6.x86_64 on CentOS 6, and
I'm close to having an acceptable solution, but I've got a couple obnoxious
issues I'm not cracking despite diligent searching.

A broad outline: My FreeRADIUS is being used by some AeroHive wireless access
points to authenticate against AD, and I've got that happening over Centrify
using their winbindd stand-in. That all works fine.

There are two problems.

First, MacOS clients are asked to accept the certificate. It's described as
valid, and I'm presenting an intermediate and my cert, and they're hooking
that up to a trusted DigiCert certificate and everything is happy... Except,
why is it asking the user to accept a cert, and especially one based on a
root that's shipped out with every Mac? A twist is that it's a wildcard cert.
Does that matter? I can't see anywhere in example configs, cert Makefile, or
online searches that folks set any sort of coherent common name that must
match. I'm not seeing where FreeRADIUS would even keep this config.

The second issue is that Windows clients must turn off cert validation. I
suspect that this is because the cert wasn't built with the xpextensions
OIDs. We can get a cert that *is* built with them, but coming back to the Mac
issue, I wonder what else I'd want to do to make an acceptable certificate.

To potentially tie the two issues together, it's conceivable that Macs also
want that xpextensions OID stuff, but that seems like a stretch.

The Mac clients don't present anything on screen to match against the common
name / subject name in the wildcard cert. We can get a cert that's not a
wildcard and bake in the Windows-happy OIDs, but I'd really deeply like to
craft a cert that's accepted without prompting by our Macs and that's also
acceptable to Windows hosts. I suspect that whatever issue is making the Macs
prompt us would also be a problem for the Windows clients, above and beyond
the Windows clients wanting the xpextensions stuff.

This all works if the Macs hand-approve the cert and the Windows users add a
network that doesn't validate the cert, but it's a big environment and we
want the stuff to work out of the box. (I've heard that best practises are to
hand-sign certs with a local CA and make everything trust the local CA, but
we really want to use a public CA for this.)

Thanks in advance for help.

-- 
 Mason Loring Bliss         mason at blisses.org        http://blisses.org/  
"I am a brother of jackals, and a companion of ostriches."  (Job 30 : 29)