Problems with eap certificate and MacOS

Brian Candler b.candler at
Wed Feb 15 14:16:43 CET 2017

On 15/02/2017 10:13, Marco Scholl wrote:
> Then i have installed our root ca as trusted for all type (eap, smime, webserver ....). When i now connect by wlan or cable to the freeradius,
> i got an server certificate error. But when i open the dialog for confirmation, i see our root ca als trusted, i see the intermediate
> as trustend and i see the radius certificate as trust!
> ...
> when i use an normal webserver certificate from a public ca the problem not exists, after i confirm the certificate on first try.
A couple of approaches:

(1) Try authenticating with eapol_test. This will give you a good debug 
log and it may be clearer what's wrong (e.g. you're not returning the 
intermediate CA as part of the response).

Compare the response with the public CA webserver certificate and with 
your own certificate.

It might be that the chain can be validated in one case, but not the other.

(2) Compare the structure of the certificates themselves:

openssl x509 -in filename.pem -noout -text

And of course check the usual things: you are using the right private 
key which corresponds to the public key in the cert; the cert has not 
expired; the intermediate CA is valid and signed by the right root etc.

The other thing you can do for MacOS is to create a profile. Get the 
"Apple Configurator Utility 2" from the App store; use it to create a 
.mobileconfig file which includes the root certificate and the wifi 
settings. This allows you also to bind the expected certificate identity 
("Trusted Server Certificate Names"), i.e. the commonName that you put 
in your RADIUS sever cert.

If the end-user then installs this profile, they'll be able to connect 
without any prompts.



More information about the Freeradius-Users mailing list