EAP + SSL + Certificate chains

Mathieu Simon mathieu.sim at gmail.com
Thu Sep 12 20:28:06 CEST 2013


2013/9/12 Brian Julin <BJulin at clarku.edu>

>
> > Trevor Jennings wrote:
>
> [...]
>
> > On OSX, the certificates are marked as valid, including the root,
> intermediate
> > and server, but still prompts the user to accept. Is there a way around
> this?
>
> About the only way I can think of is to install a profile (.mobileconfig)
> which
> pre-approves the use of that certificate authority.

If you want to make things all nice and green-looking for your end-users
seek for
mobileconfig signing. TERENA has a good example how to do this for eduroam:
https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files

 Reason being, if you just
> accept any old certificate authority any compromised certificate will
> work, and
> on newer OSX/iOS the only way to check the certificate subject for the name
> of your RADIUS server.

And as you mention OS X, yes the same .mobileconfig for iOS will work for
OS X 10.7 onwards,
which was a quite nice thing in my environment to know.


> [...]



>

(Incidentally this is why many environments do not like having Android
> devices
> on their wireless LANs since they don't have any such native options
> accessible
> from the UI or even a decent way to distribute profiles.


At least from that side there is hope for improvements with Android 4.3
onwards there
are API calls for enterprise wireless configuration.

Maybe "someone" steps up by making an application that can manage profiles
or something like this.

 Heck they don't even fake it by making the first certificate they see
> sticky.

Worse... ;-)

It's up to the user to install the CA certificate on its own - even if that
is a public CA in the Android,
they can't select them otherwise (!) . At least then authentication stops
if you put up a server certificate
not signed by that specified CA.

The only open source provisioning tool for Android (that I believe didn't
get much traction) SU1X for Android,
made by Swansea University for eduroam.

-- Mathieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130912/69f53126/attachment.html>


More information about the Freeradius-Users mailing list