Problems with eap certificate and MacOS
Hi, i have a problem EAP. I have a root ca for our company with an intermediate ca. Now i have generate an certificate for the radius server with EAP OIDs (1.3.6.1.5.5.7.3.13, 1.3.6.1.5.5.7.3.14) Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius, i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate as trustend and i see the radius certificate as trust! every connect i must accept the certificate for new. anybody an idea? when i use an normal webserver certificate from a public ca the problem not exists, after i confirm the certificate on first try. greets marco
On 15 Feb 2017, at 10:13, Marco Scholl <mail@marco-scholl.de> wrote:
Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius, i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate as trustend and i see the radius certificate as trust!
This isn't really a FreeRADIUS question. You'll need to look in the OS logs to figure out why it's unhappy. Unless you've screwed up the certificate chain, or aren't sending the right certificates, there's probably nothing you can do on the FreeRADIUS side. The mini-CA generated by FreeRADIUS does work out of the box, so if you're using that you've either broken the config, or the client is not working right. Use 'openssl x509 -in cert.pem -noout -text' to compare the CA signed and your own certificate (and your root vs their root). Make sure you're using a sha256 hash, that the constraints are all correct, and the key usages are sensible. Make sure you've not set a path length shorter than your chain - things like that. Try removing all the certificates, rebooting and reconnecting. I've seen OS X get confused and try using credentials cached somewhere, but that have been removed from the keychain. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Hi, i have resolve the problem by remove all certificate and some restart and a fresh installation. thanks for support. greets
Am 15.02.2017 um 11:55 schrieb Adam Bishop <Adam.Bishop@jisc.ac.uk>:
On 15 Feb 2017, at 10:13, Marco Scholl <mail@marco-scholl.de> wrote:
Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius, i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate as trustend and i see the radius certificate as trust!
This isn't really a FreeRADIUS question. You'll need to look in the OS logs to figure out why it's unhappy. Unless you've screwed up the certificate chain, or aren't sending the right certificates, there's probably nothing you can do on the FreeRADIUS side.
The mini-CA generated by FreeRADIUS does work out of the box, so if you're using that you've either broken the config, or the client is not working right.
Use 'openssl x509 -in cert.pem -noout -text' to compare the CA signed and your own certificate (and your root vs their root). Make sure you're using a sha256 hash, that the constraints are all correct, and the key usages are sensible. Make sure you've not set a path length shorter than your chain - things like that.
Try removing all the certificates, rebooting and reconnecting. I've seen OS X get confused and try using credentials cached somewhere, but that have been removed from the keychain.
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I suggest to read and digest: https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+consideratio... Thanks, Nick
On 15/02/2017 10:13, Marco Scholl wrote:
Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius, i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate as trustend and i see the radius certificate as trust! ... when i use an normal webserver certificate from a public ca the problem not exists, after i confirm the certificate on first try. A couple of approaches:
(1) Try authenticating with eapol_test. This will give you a good debug log and it may be clearer what's wrong (e.g. you're not returning the intermediate CA as part of the response). Compare the response with the public CA webserver certificate and with your own certificate. It might be that the chain can be validated in one case, but not the other. (2) Compare the structure of the certificates themselves: openssl x509 -in filename.pem -noout -text And of course check the usual things: you are using the right private key which corresponds to the public key in the cert; the cert has not expired; the intermediate CA is valid and signed by the right root etc. The other thing you can do for MacOS is to create a profile. Get the "Apple Configurator Utility 2" from the App store; use it to create a .mobileconfig file which includes the root certificate and the wifi settings. This allows you also to bind the expected certificate identity ("Trusted Server Certificate Names"), i.e. the commonName that you put in your RADIUS sever cert. If the end-user then installs this profile, they'll be able to connect without any prompts. Regards, Brian.
participants (4)
-
Adam Bishop -
Brian Candler -
Marco Scholl -
Nick Lowe