Problems with eap certificate and MacOS

Wed Feb 15 11:55:25 CET 2017

On 15 Feb 2017, at 10:13, Marco Scholl <mail at marco-scholl.de> wrote:
> Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius,
> i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate
> as trustend and i see the radius certificate as trust!

This isn't really a FreeRADIUS question. You'll need to look in the OS logs to figure out why it's unhappy. Unless you've screwed up the certificate chain, or aren't sending the right certificates, there's probably nothing you can do on the FreeRADIUS side.

The mini-CA generated by FreeRADIUS does work out of the box, so if you're using that you've either broken the config, or the client is not working right.

Use 'openssl x509 -in cert.pem -noout -text' to compare the CA signed and your own certificate (and your root vs their root). Make sure you're using a sha256 hash, that the constraints are all correct, and the key usages are sensible. Make sure you've not set a path length shorter than your chain - things like that. 

Try removing all the certificates, rebooting and reconnecting. I've seen OS X get confused and try using credentials cached somewhere, but that have been removed from the keychain.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  