If people are having issues with iOS and OSX getting online, you should check out Apples new guidelines: https://support.apple.com/en-ca/HT210176 Even if your certificates meet those criteria, they *might* still be rejected. If so, you should do some tests with the "example.com" certificates that the server builds in raddb/certs. Use a test machine (not the production RADIUS server!) and figure out if the certificates are accepted by iOS. If so, then you may have to get new production certificates which more closely match the test ones. iOS and OSX are "black boxes", and do NOT give useful information as to why they rejected the certificate. If they did, it would be a simple matter to fix the offending field. Instead, Apple punishes everyone for their own laziness. :( Alan DeKok.
It was my understanding the TLS certificate "825 day" and now "~390 day" requirement was for safari only, not for the .1x supplicant On Wed, Feb 26, 2020 at 11:58 AM Alan DeKok <aland@deployingradius.com> wrote:
If people are having issues with iOS and OSX getting online, you should check out Apples new guidelines:
https://support.apple.com/en-ca/HT210176
Even if your certificates meet those criteria, they *might* still be rejected. If so, you should do some tests with the "example.com" certificates that the server builds in raddb/certs. Use a test machine (not the production RADIUS server!) and figure out if the certificates are accepted by iOS.
If so, then you may have to get new production certificates which more closely match the test ones.
iOS and OSX are "black boxes", and do NOT give useful information as to why they rejected the certificate. If they did, it would be a simple matter to fix the offending field.
Instead, Apple punishes everyone for their own laziness. :(
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu
I just successfully tested a 10-year self-signed cert for with iOS and OS X. On Wed, Feb 26, 2020 at 1:34 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 26, 2020, at 1:25 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
It was my understanding the TLS certificate "825 day" and now "~390 day" requirement was for safari only, not for the .1x supplicant
It's for *all* TLS certificate checks.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu
On Feb 26, 2020, at 1:42 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I just successfully tested a 10-year self-signed cert for with iOS and OS X.
If it works... The issue is that the only recommendation we have is to follow that documentation. And people *have* run into issues when their certificates do not match those requirements. Alan DeKok.
participants (2)
-
Alan DeKok -
Munroe Sollog