[Spam?] Re: FYI, I gave up on eap-tls for OS X and ios.

Alan DeKok aland at deployingradius.com
Sun Apr 2 23:01:39 CEST 2017

On Apr 2, 2017, at 3:45 PM, John Tobin <jtobin at po-box.esu.edu> wrote:
> This is kind of unnecessary, but:
> I would not write to this list with any problems, if I didn’t assume there
> were some people Who were an authority on this list.

  Then why are you arguing with the answers you get on this list?

> I work with a number of colleagues who are also well meaning and
> knowledgeable on some of these topics.
> They forwarded to me the URL:
> https://developer.apple.com/videos/play/wwdc2016/706/
> I was only able to get the video to run on my mac under safari, Firefox
> and Crome had problems, so I would recommend safari to view it.
> It was put out last year as a security update [2016]: about 10 minutes in
> it goes over Apples new philosophy about certificates.
> With my Colleagues expertise [this is a bit above my head] I am lead to
> believe self signed certs [that aren’t logged] will not work.
> If there is a work around for this problem or this should not affect free
> radius:
> Sure, tell me I am [once again] incorrect.

  What I said was correct.  I use a Mac to develop FreeRADIUS.  Every day I I log into a WiFi network secured with EAP-TTLS, and certificates created using the methods in the FreeRADIUS source.

  ... as I said before.

> I am a part time student who is part of the helpdesk, and the default sys
> admin for a small linux lab I have built from spare parts and used
> computers for the computer science group at East Stroudsburg University.

  Which means you should pay close attention to the advice on this list, instead of ignoring it.

> I have struggled to get free radius up and running for the lab, and
> frankly don’t have time to argue with experts,

  Then why are you still arguing?  Install FreeRADIUS.  Use the certificates it creates.  It *will* work.

  Or at least... it's worked for everyone else.  Maybe your network is magic.

> I am trying to get this lab
> running. I struggled with eap-tls on apple products and gave up, that
> doesn’t mean it doesn’t work: I think that falls more along the lines of
> it wasn’t simple and took more time than I had. If that makes me less than
> competent, that’s fair.

  <shrug>  Install FreeRADIUS, create the CA / server / client certs.  The hardest part of the process is getting an Apple mobileconfig file.

> I changed the EAP profile for os x to support peap, which works.

  Then create a client cert using the same CA, and EAP-TLS will work.

> I am not
> using tls currently, that may change.
> Thanks for the opportunity to know I am not the expert you are. In future
> I may need some of your expertise, so I don’t need to make enemies.
> Humble pie has a special flavor all it’s own.
> Love you all. [you can smile now].

  I have no idea why people feel the need to explain how terrible FreeRADIUS is, when at the same time they're ignoring the advice we give.

  Alan DeKok.

More information about the Freeradius-Users mailing list