Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?

Alan DeKok aland at
Sat Jun 27 08:43:44 CEST 2009

Aaron Mahler wrote:
>   It is issued by GoDaddy and does trace back to a valid root cert that
> I've found exists by default on my OS X systems.

  This isn't a good idea for RADIUS systems.  It means that the 802.1X
clients will happily hand their credentials to *anyone* who has a root
signed certificate.

  For RADIUS and EAP, you should use self-signed certificates.

>   When handed to clients via Radius for 802.1x authentication, though,
> it's declared as untrusted during the sign-on process.

  That's a Mac thing...

>   I did a test run on a Unbunu machine a bit ago, though, and it never
> griped whatsoever. I entered login credentials and it hooked right up.

  That uses wpa_supplicant, which works.  The Mac && Windows clients
use... something else.

>   Am I safe in assuming that this is, in fact, a client side problem in
> the realm of 802.1x implementation and there is nothing I can do on the
> Freeradius side?


>   We'll be serving a large enough user base here that the certificate
> trust warnings are going to be a HUGE support headache. I need it to be
> seamless for the end user.

  That will be hard.  The simplest way is to have a captive portal where
they can download the certificate.

  Alan DeKok.

More information about the Freeradius-Users mailing list