using SSL certs with EAP-TLS

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Tue Jul 5 23:34:00 CEST 2016 

Hi Wouter

Am 05.07.2016 um 20:31 schrieb Wouter:
> Hi All,
> 
> On 3-7-2016 16:13, Wouter wrote:
>> I have been reading posts like these:
>> http://lists.freeradius.org/pipermail/freeradius-users/2013-August/067987.html
>> and trying to make it work with only the root CA in ca_file, together
>> (both.pem in the listing above) with the intermediate cert, with the
>> cert for tommie.example.com in it.. nothing helps.
>> Again, all is working, but I'd like to get rid of the warning! Any help?
> 
> Anyone with a working configuration for FreeRADIUS with StartSSL
> certificates?
Yep, still me.

I renewed our RADIUS server certificate unfortunately almost right
before they changed their issuing CAs last year. Depending on your
validation with them you might have another intermediate CA or even root
CA so be careful at that point.

What changed is in the time too is how StartSSL now gives you the signed
server certificate. As of 1-2 months ago they gave a zip archive with
the signed server certificate and the intermediate certificates combined
for i.e. IIS, Apache and nginx formats. I've checked on another more
recent certificate and it seems the nginx variant comes in the order of
1. server certificate, 2. intermediate certificate.

In this case all you'd need is adding the right signing certificate at
end of the combined file for nginx and be quite good to go.

I have even left ca_file on 3.0.11+ as is by default and have the order
of 1. server cert, 2. intermediate cert, 3. root CA and that seems to
work for me.

Concerning the warning: Am I guessing correctly you are on Windows?
Even If all of this worked especially on BYOD Windows 8.1/10 boxes I
have realized that even if users follow Windows' regular wizards it
still presents them a hash of the certificate which isn't really
helpful. (It just says "here is a hash do you accept?" no CA no common
name is shown)

In order to not make that thing pop up I had to give them WiFi XML
profiles that (still) strictly check the issuing CA and the common name
- that is what made that popup go away for me.*

-- Mathieu

* Disclaimer: I do use the service 802.1x-config.org operated by fellow
list contributor Stefan Winter who again is related to eduroam CAT
development. CAT simplified both my (admin) life and generates also
simple installers for Windows taking care for the user importing the XML
config the right way (If not part of eduroam you can actually get the
CAT code and install your own instance that is)

More information about the Freeradius-Users mailing list