Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Sat Jun 27 10:44:39 CEST 2009


Alan DeKok wrote:
> Aaron Mahler wrote:
>   
>>   It is issued by GoDaddy and does trace back to a valid root cert that
>> I've found exists by default on my OS X systems.
>>     
>
>   This isn't a good idea for RADIUS systems.  It means that the 802.1X
> clients will happily hand their credentials to *anyone* who has a root
> signed certificate.
>
>   For RADIUS and EAP, you should use self-signed certificates.
>
>   
>>   When handed to clients via Radius for 802.1x authentication, though,
>> it's declared as untrusted during the sign-on process.
>>     
>
>   That's a Mac thing...
>   
Mac OSX doesn't trust any Root CAs by default, even if they're
preinstalled on the machine.
> [snip]
>>   We'll be serving a large enough user base here that the certificate
>> trust warnings are going to be a HUGE support headache. I need it to be
>> seamless for the end user.
>>     
>
>   
It's not really that hard... But if you really think you're going to
have a problem, check out one of the dissolvable autoconfiguration
clients like cloudpath.

Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090627/67aa45d4/attachment.pgp>


More information about the Freeradius-Users mailing list