using SSL certs with EAP-TLS

Wouter radius at
Sun Jul 3 16:13:17 CEST 2016

Hi All,

On 6-4-2016 09:31, Stefan Winter wrote:
>>> No. If your server certificate is from a CA, the client can verify that
>>> your server is genuine (if the client side is configured correctly to
>>> actually check CA and server name).

After days of work, I still cannot fixed this 100% correct. My client
certs -signed by StartSSL- authenticate fine in this WPA2 Enterprise setup.

What I cannot get to work is the authentication of my radius server with
iPhones running iOS 9.3.2. I keep getting the cert warning that the
domain is not trusted. Ofcourse I can choose for 'accept' after the
warning, but this is not the best...

I own the domain and have a valid cert for signed by StartSSL with "StartCom Class 1 DV Server
CA". This cert is issued by "StartCom Certification Authority". Both the
root CA and the intermediate CA are installed on the two iPhones. All
three certs are in /etc/freeradius/certs/ . My EAP config is like this:

certdir = ${confdir}/certs
cadir = ${confdir}/certs
ca_file = /etc/freeradius/certs/both.pem
ca_path = /etc/freeradius/certs
certificate_file = /etc/freeradius/certs/
private_key_file = /etc/freeradius/certs/

I have been reading posts like these:
and trying to make it work with only the root CA in ca_file, together
(both.pem in the listing above) with the intermediate cert, with the
cert for in it.. nothing helps.

Again, all is working, but I'd like to get rid of the warning! Any help?

Using FreeRADIUS on Ubuntu 14.04 with package 3.0.11-ppa2~trusty.

Thank you!

More information about the Freeradius-Users mailing list