You cannot use a wildcard certificate with Windows clients, EAPhost does not support it. Nick On Thu, Sep 24, 2015 at 1:24 AM, Mason Loring Bliss <mason@blisses.org> wrote:
Hello, all. I'm setting up freeradius-2.1.12-6.el6.x86_64 on CentOS 6, and I'm close to having an acceptable solution, but I've got a couple obnoxious issues I'm not cracking despite diligent searching.
A broad outline: My FreeRADIUS is being used by some AeroHive wireless access points to authenticate against AD, and I've got that happening over Centrify using their winbindd stand-in. That all works fine.
There are two problems.
First, MacOS clients are asked to accept the certificate. It's described as valid, and I'm presenting an intermediate and my cert, and they're hooking that up to a trusted DigiCert certificate and everything is happy... Except, why is it asking the user to accept a cert, and especially one based on a root that's shipped out with every Mac? A twist is that it's a wildcard cert. Does that matter? I can't see anywhere in example configs, cert Makefile, or online searches that folks set any sort of coherent common name that must match. I'm not seeing where FreeRADIUS would even keep this config.
The second issue is that Windows clients must turn off cert validation. I suspect that this is because the cert wasn't built with the xpextensions OIDs. We can get a cert that *is* built with them, but coming back to the Mac issue, I wonder what else I'd want to do to make an acceptable certificate.
To potentially tie the two issues together, it's conceivable that Macs also want that xpextensions OID stuff, but that seems like a stretch.
The Mac clients don't present anything on screen to match against the common name / subject name in the wildcard cert. We can get a cert that's not a wildcard and bake in the Windows-happy OIDs, but I'd really deeply like to craft a cert that's accepted without prompting by our Macs and that's also acceptable to Windows hosts. I suspect that whatever issue is making the Macs prompt us would also be a problem for the Windows clients, above and beyond the Windows clients wanting the xpextensions stuff.
This all works if the Macs hand-approve the cert and the Windows users add a network that doesn't validate the cert, but it's a big environment and we want the stuff to work out of the box. (I've heard that best practises are to hand-sign certs with a local CA and make everything trust the local CA, but we really want to use a public CA for this.)
Thanks in advance for help.
-- Mason Loring Bliss mason@blisses.org http://blisses.org/ "I am a brother of jackals, and a companion of ostriches." (Job 30 : 29) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html