Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?

Arran Cudbard-Bell a.cudbard-bell at
Sat Jun 27 10:44:39 CEST 2009

Alan DeKok wrote:
> Aaron Mahler wrote:
>>   It is issued by GoDaddy and does trace back to a valid root cert that
>> I've found exists by default on my OS X systems.
>   This isn't a good idea for RADIUS systems.  It means that the 802.1X
> clients will happily hand their credentials to *anyone* who has a root
> signed certificate.
>   For RADIUS and EAP, you should use self-signed certificates.
>>   When handed to clients via Radius for 802.1x authentication, though,
>> it's declared as untrusted during the sign-on process.
>   That's a Mac thing...
Mac OSX doesn't trust any Root CAs by default, even if they're
preinstalled on the machine.
> [snip]
>>   We'll be serving a large enough user base here that the certificate
>> trust warnings are going to be a HUGE support headache. I need it to be
>> seamless for the end user.
It's not really that hard... But if you really think you're going to
have a problem, check out one of the dissolvable autoconfiguration
clients like cloudpath.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list