nick.lowe at gmail.com
Thu Sep 24 11:44:18 CEST 2015
You cannot use a wildcard certificate with Windows clients, EAPhost
does not support it.
On Thu, Sep 24, 2015 at 1:24 AM, Mason Loring Bliss <mason at blisses.org> wrote:
> Hello, all. I'm setting up freeradius-2.1.12-6.el6.x86_64 on CentOS 6, and
> I'm close to having an acceptable solution, but I've got a couple obnoxious
> issues I'm not cracking despite diligent searching.
> A broad outline: My FreeRADIUS is being used by some AeroHive wireless access
> points to authenticate against AD, and I've got that happening over Centrify
> using their winbindd stand-in. That all works fine.
> There are two problems.
> First, MacOS clients are asked to accept the certificate. It's described as
> valid, and I'm presenting an intermediate and my cert, and they're hooking
> that up to a trusted DigiCert certificate and everything is happy... Except,
> why is it asking the user to accept a cert, and especially one based on a
> root that's shipped out with every Mac? A twist is that it's a wildcard cert.
> Does that matter? I can't see anywhere in example configs, cert Makefile, or
> online searches that folks set any sort of coherent common name that must
> match. I'm not seeing where FreeRADIUS would even keep this config.
> The second issue is that Windows clients must turn off cert validation. I
> suspect that this is because the cert wasn't built with the xpextensions
> OIDs. We can get a cert that *is* built with them, but coming back to the Mac
> issue, I wonder what else I'd want to do to make an acceptable certificate.
> To potentially tie the two issues together, it's conceivable that Macs also
> want that xpextensions OID stuff, but that seems like a stretch.
> The Mac clients don't present anything on screen to match against the common
> name / subject name in the wildcard cert. We can get a cert that's not a
> wildcard and bake in the Windows-happy OIDs, but I'd really deeply like to
> craft a cert that's accepted without prompting by our Macs and that's also
> acceptable to Windows hosts. I suspect that whatever issue is making the Macs
> prompt us would also be a problem for the Windows clients, above and beyond
> the Windows clients wanting the xpextensions stuff.
> This all works if the Macs hand-approve the cert and the Windows users add a
> network that doesn't validate the cert, but it's a big environment and we
> want the stuff to work out of the box. (I've heard that best practises are to
> hand-sign certs with a local CA and make everything trust the local CA, but
> we really want to use a public CA for this.)
> Thanks in advance for help.
> Mason Loring Bliss mason at blisses.org http://blisses.org/
> "I am a brother of jackals, and a companion of ostriches." (Job 30 : 29)
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users