This is kind of unnecessary, but: I would not write to this list with any problems, if I didn’t assume there were some people Who were an authority on this list. I work with a number of colleagues who are also well meaning and knowledgeable on some of these topics. They forwarded to me the URL: https://developer.apple.com/videos/play/wwdc2016/706/ I was only able to get the video to run on my mac under safari, Firefox and Crome had problems, so I would recommend safari to view it. It was put out last year as a security update [2016]: about 10 minutes in it goes over Apples new philosophy about certificates. With my Colleagues expertise [this is a bit above my head] I am lead to believe self signed certs [that aren’t logged] will not work. If there is a work around for this problem or this should not affect free radius: Sure, tell me I am [once again] incorrect. I am a part time student who is part of the helpdesk, and the default sys admin for a small linux lab I have built from spare parts and used computers for the computer science group at East Stroudsburg University. I have struggled to get free radius up and running for the lab, and frankly don’t have time to argue with experts, I am trying to get this lab running. I struggled with eap-tls on apple products and gave up, that doesn’t mean it doesn’t work: I think that falls more along the lines of it wasn’t simple and took more time than I had. If that makes me less than competent, that’s fair. I changed the EAP profile for os x to support peap, which works. I am not using tls currently, that may change. Thanks for the opportunity to know I am not the expert you are. In future I may need some of your expertise, so I don’t need to make enemies. Humble pie has a special flavor all it’s own. Love you all. [you can smile now]. tob On 3/30/17, 08:33, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 29, 2017, at 7:24 PM, John Tobin <jtobin@po-box.esu.edu> wrote:.
I have a self signed cert because [ I believe ] that is the test cert you get when you install radius. /etc/raddb/cert has a make, you run the make for test certs.
Yes... we're well aware of that.
I have doc that suggests os x and ios will no longer allow self signed certs,
I use a self-signed CA which issues a server cert every day with OSX and iOS. I don't know what magic doc you're reading (and you don't say what it is).
and it was suggested that I should have a self signed cert for free Radiusd eap-tls.
Who suggested it? The test certificates (and the process used to create them) work on every OS. That's why they exist... so people should use them.
The os x machines have no mods for a ³homebrewed² openssl?
I'm not sure what you mean by that.
FreeRADIUS will work with the OpenSSL that's distributed with OSX. It will complain about the old version, but it will work.
I am testing against sierra and elcapitan, and I was also told
By who? And why do you believe some random document, or some random person instead of the experts on this list?
I would have to get special versions of openssl for os x at those levels because of problems in opensslŠ You have to implement homebrew openssl installŠ..
I would suggest using a home-brew version of OpenSSL. It's more up to date. But it's not *required*.
I think I good part of the problem here is that you're reading random documentation. I don't know where you're getting that information from, but most of it is wrong.
FreeRADIUS works. The scripts included with it work. The certificates it builds work. The documentation in FreeRADIUS is correct.
Why would you go reading random *wrong* documentation, and ignore the *working* and *correct* documentation in front of you?
i.e. if you're having problems with some third-party documentation, go ask *them* why their documentation doesn't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html