Hi Alan, Attached are the server cert (CN=wifi.remind.com), the CA cert (CN=Remind CA), and the mobileconfig file. - The CA cert is SHA256 and the server cert is SHA-1 - server cert has basic constraints CA false. CA cert has basic constraints CA true - DH key is 1024 - The server cert DOES NOT have a SubjectAltName. Do I need to do add one? I'm used to using SubjectAltName in certs for HTTPS and IMAP where you are matching the target domain, but I haven't been able to find a document that says what to put in the CN/SubjectAltName for 802.1x. I was originally going to put the SSID name as a string, but I saw a vague example of a domain name in an Apple guide where they mentioned wildcards. Any suggestions here? Thanks, -rohan On Fri, Sep 25, 2015 at 7:01 AM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
My problem with the Macs is figuring out what they do not like about the server certificate.
can you provide your server cert?
Macs will care about things like
is it SHA1 or SHA256 (and not MD5) - is the CA SHA1 or SHA256 too?
does the server cert have CA = false or can the server cert be a CA too? (CA = True) - ie no contraints
does the server cert have a Common Name and a SubjectAltName by the way?
it could be TLS negoitation failing - if the cipher method is DH-based - whats the size of your DH key - needs to be 1024bit or more
start with those
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html