help seeing more debugging EAP-TTLS handshake
Rohan Mahy
rohan.mahy at gmail.com
Fri Sep 25 17:22:23 CEST 2015
Hi Alan,
Attached are the server cert (CN=wifi.remind.com), the CA cert (CN=Remind
CA), and the mobileconfig file.
- The CA cert is SHA256 and the server cert is SHA-1
- server cert has basic constraints CA false. CA cert has basic
constraints CA true
- DH key is 1024
- The server cert DOES NOT have a SubjectAltName. Do I need to do add one?
I'm used to using SubjectAltName in certs for HTTPS and IMAP where you are
matching the target domain, but I haven't been able to find a document that
says what to put in the CN/SubjectAltName for 802.1x. I was originally
going to put the SSID name as a string, but I saw a vague example of a
domain name in an Apple guide where they mentioned wildcards. Any
suggestions here?
Thanks,
-rohan
On Fri, Sep 25, 2015 at 7:01 AM, <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
> > My problem with the Macs is figuring out what they do not like about the
> > server certificate.
>
> can you provide your server cert?
>
> Macs will care about things like
>
> is it SHA1 or SHA256 (and not MD5) - is the CA SHA1 or SHA256 too?
>
> does the server cert have CA = false or can the server cert be a CA too?
> (CA = True) - ie no contraints
>
> does the server cert have a Common Name and a SubjectAltName by the way?
>
>
> it could be TLS negoitation failing - if the cipher method is DH-based -
> whats the size
> of your DH key - needs to be 1024bit or more
>
>
> start with those
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list