EAP SSL Cert "Not Trusted"

[Trevor Jennings]

Thanks for the replies!

We've had EAP functioning well for the past 7-8 years and when the cert
comes up to renew, I've been asked why do we need to keep trusting the
certificate, so I am trying to find answers.


>   Do not use public CA certs for WiFi authentication.  It's insecure.
>
>
So you are suggesting we should be using self signed certs instead of a
public CA?



>   And no, the Apple devices do NOT already trust the Thawte cert for WiFi
> authentication.  They trust the Thawte cert for web surfing, which is
> entirely different.
>

This is what I do not understand. The root certificate is the same for both
and is sent as part of the EAP process along with the server certificate. I
know this sounds like a stupid question but how are these both different?



>
>   You need to have a mobileconfig which tells each device what the SSID
> is, what EAP method to use, and what CA to use.
>
> > Are you referring to configuration profiles that are setup on the
> clients?
>
>   Yes.  You need to configure each device as I said above.
>

I understand this as when I receive the new certificate, I send it along to
service desk who setup profiles on staff/faculty machines that use WiFi. I
think they also may use MDM to send the profiles to mobiles, but only some
staff/faculty devices.


>
>   In order to get EAP working, follow the guide at:
>
> http://deployingradius.com/documents/configuration/eap.html
>
>   It WILL work.
>
>   And yes, it involves creating your own certificates, and also installing
> the certificates on the clients.
>
>
It sounds like we should provide a solution to allow clients to install the
certificates.

 Cheers,

 - Trevor