Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?

Aaron Mahler amahler at sbc.edu
Sat Jun 27 06:54:34 CEST 2009 

  Hello!

   After getting my EAP-PEAP <-> LDAP configuration working this  
evening, I turned attention to replacing the self-signed certs with  
our commercial wildcard SSL certificate. This is being used  
successfully on multiple servers on campus (web, email, etc).

   It is issued by GoDaddy and does trace back to a valid root cert  
that I've found exists by default on my OS X systems.

   The same cert used on our web servers has zero problems and refers  
to a GoDaddy root. http://www.sbc.edu to see it firsthand.

   When handed to clients via Radius for 802.1x authentication,  
though, it's declared as untrusted during the sign-on process.

   I've seen a few threads on here this evening exploring this very  
issue (most helpfully from Dan Meyers who describes virtually my same  
issue).

   In his case, XP SP2 systems have an issue with it. I can't yet  
confirm that, but I'm certainly running into the issue with my OS X  
systems and iPhone.

   I did a test run on a Unbunu machine a bit ago, though, and it  
never griped whatsoever. I entered login credentials and it hooked  
right up.

   As mentioned above, the cert is a wildcard and identical to the one  
on our webservers. For comparison, I did a wireshark sniff against our  
webserver and one of the radius exchange. The cert exchange is  
identical right down to the byte count. I compared them side by side.  
In both cases, the full chain from cert through intermediates  
referring back to the root are being handed over to the client by both  
Apache and Freeradius.

   Am I safe in assuming that this is, in fact, a client side problem  
in the realm of 802.1x implementation and there is nothing I can do on  
the Freeradius side?

   Lastly - if there is no way I'm going to get smooth use of a cert  
involving an intermediate - does GeoTrust still issue root-signed  
certs as mentioned recently in other posts? Anyone else offer them?

   Note: I tried to get a free 30-day QuickSSL cert for testing from  
GeoTrust tonight. Both attempts failed on their end (could not  
complete my order at this time - no explanation as to why).

   We'll be serving a large enough user base here that the certificate  
trust warnings are going to be a HUGE support headache. I need it to  
be seamless for the end user.

Thanks!
  - Aaron

More information about the Freeradius-Users mailing list