using SSL certs with EAP-TLS
Wouter
radius at occult.nl
Sun Jul 3 16:13:17 CEST 2016
Hi All,
On 6-4-2016 09:31, Stefan Winter wrote:
>>> No. If your server certificate is from a CA, the client can verify that
>>> your server is genuine (if the client side is configured correctly to
>>> actually check CA and server name).
After days of work, I still cannot fixed this 100% correct. My client
certs -signed by StartSSL- authenticate fine in this WPA2 Enterprise setup.
What I cannot get to work is the authentication of my radius server with
iPhones running iOS 9.3.2. I keep getting the cert warning that the
domain is not trusted. Ofcourse I can choose for 'accept' after the
warning, but this is not the best...
I own the domain example.com and have a valid cert for
server.example.com signed by StartSSL with "StartCom Class 1 DV Server
CA". This cert is issued by "StartCom Certification Authority". Both the
root CA and the intermediate CA are installed on the two iPhones. All
three certs are in /etc/freeradius/certs/ . My EAP config is like this:
certdir = ${confdir}/certs
cadir = ${confdir}/certs
ca_file = /etc/freeradius/certs/both.pem
ca_path = /etc/freeradius/certs
certificate_file = /etc/freeradius/certs/server.example.com.crt
private_key_file = /etc/freeradius/certs/server.example.com.key
I have been reading posts like these:
http://lists.freeradius.org/pipermail/freeradius-users/2013-August/067987.html
and trying to make it work with only the root CA in ca_file, together
(both.pem in the listing above) with the intermediate cert, with the
cert for tommie.example.com in it.. nothing helps.
Again, all is working, but I'd like to get rid of the warning! Any help?
Using FreeRADIUS on Ubuntu 14.04 with package 3.0.11-ppa2~trusty.
Thank you!
More information about the Freeradius-Users
mailing list