[Spam?] Re: FYI, I gave up on eap-tls for OS X and ios.

John Tobin jtobin at po-box.esu.edu
Sun Apr 2 21:45:38 CEST 2017


This is kind of unnecessary, but:

I would not write to this list with any problems, if I didn’t assume there
were some people Who were an authority on this list.
I work with a number of colleagues who are also well meaning and
knowledgeable on some of these topics.

They forwarded to me the URL:
https://developer.apple.com/videos/play/wwdc2016/706/

I was only able to get the video to run on my mac under safari, Firefox
and Crome had problems, so I would recommend safari to view it.
It was put out last year as a security update [2016]: about 10 minutes in
it goes over Apples new philosophy about certificates.
With my Colleagues expertise [this is a bit above my head] I am lead to
believe self signed certs [that aren’t logged] will not work.
If there is a work around for this problem or this should not affect free
radius:
Sure, tell me I am [once again] incorrect.

I am a part time student who is part of the helpdesk, and the default sys
admin for a small linux lab I have built from spare parts and used
computers for the computer science group at East Stroudsburg University.
I have struggled to get free radius up and running for the lab, and
frankly don’t have time to argue with experts, I am trying to get this lab
running. I struggled with eap-tls on apple products and gave up, that
doesn’t mean it doesn’t work: I think that falls more along the lines of
it wasn’t simple and took more time than I had. If that makes me less than
competent, that’s fair.

I changed the EAP profile for os x to support peap, which works. I am not
using tls currently, that may change.

Thanks for the opportunity to know I am not the expert you are. In future
I may need some of your expertise, so I don’t need to make enemies.

Humble pie has a special flavor all it’s own.
Love you all. [you can smile now].

tob 

On 3/30/17, 08:33, "Freeradius-Users on behalf of Alan DeKok"
<freeradius-users-bounces+jtobin=po-box.esu.edu at lists.freeradius.org on
behalf of aland at deployingradius.com> wrote:

>On Mar 29, 2017, at 7:24 PM, John Tobin <jtobin at po-box.esu.edu> wrote:.
>> 
>> 
>> I have a self signed cert because [ I believe ] that is the test cert
>>you
>> get when you install radius.
>> /etc/raddb/cert has a make, you run the make for test certs.
>
>  Yes... we're well aware of that.
>
>> I have doc that suggests os x and ios will no longer allow self signed
>> certs,
>
>  I use a self-signed CA which issues a server cert every day with OSX
>and iOS.  I don't know what magic doc you're reading (and you don't say
>what it is).
>
>> and it was suggested that I should have a self signed cert for free
>> Radiusd eap-tls.
>
>  Who suggested it?  The test certificates (and the process used to
>create them) work on every OS.  That's why they exist... so people should
>use them.
>
>> The os x machines have no mods for a ³homebrewed² openssl?
>
>  I'm not sure what you mean by that.
>
>  FreeRADIUS will work with the OpenSSL that's distributed with OSX.  It
>will complain about the old version, but it will work.
>
>> I am testing against sierra and elcapitan, and I was also told
>
>  By who?  And why do you believe some random document, or some random
>person instead of the experts on this list?
>
>> I would
>> have to get special versions of openssl for os x at those levels because
>> of problems in opensslŠ
>> You have to implement homebrew openssl installŠ..
>
>  I would suggest using a home-brew version of OpenSSL.  It's more up to
>date.  But it's not *required*.
>
>  I think I good part of the problem here is that you're reading random
>documentation.  I don't know where you're getting that information from,
>but most of it is wrong.
>
>  FreeRADIUS works.  The scripts included with it work.  The certificates
>it builds work.  The documentation in FreeRADIUS is correct.
>
>  Why would you go reading random *wrong* documentation, and ignore the
>*working* and *correct* documentation in front of you?
>
>  i.e. if you're having problems with some third-party documentation, go
>ask *them* why their documentation doesn't work.
>
>  Alan DeKok.
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list