EAP SSL Cert "Not Trusted"

Stefan Winter stefan.winter at restena.lu
Thu Jun 15 07:52:36 CEST 2017


Hi,

> You will receive the prompt the first time a new device connects to that SSID. You should really pre-configure the clients or you’re putting the user’s credentials at risk.

Exactly. For a longer treatise on the subject:

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

(applicability not limited to eduroam)

If the OP is doing this for an eduroam installation, said
pre-configuration profiles can be built at

https://cat.eduroam.org

If this is not about eduroam, there are plenty of commercial solutions.
A freemium one is

https://802.1x-config.org

Greetings,

Stefan Winter
> 
> 
> 
> On 6/14/17, 11:39 AM, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+timc=hpe.com at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:
> 
>     On Jun 14, 2017, at 11:19 AM, Trevor Jennings <Trevor at simple101.com> wrote:
>     > 
>     > We are using Thawte which Apple devices already trust (These are more
>     > common devices on our network).
>     
>       Do not use public CA certs for WiFi authentication.  It's insecure.
>     
>       And no, the Apple devices do NOT already trust the Thawte cert for WiFi authentication.  They trust the Thawte cert for web surfing, which is entirely different.
>     
>       You need to have a mobileconfig which tells each device what the SSID is, what EAP method to use, and what CA to use.
>     
>     > Are you referring to configuration profiles that are setup on the clients?
>     
>       Yes.  You need to configure each device as I said above.
>     
>       In order to get EAP working, follow the guide at:
>     
>     http://deployingradius.com/documents/configuration/eap.html
>     
>       It WILL work.
>     
>       And yes, it involves creating your own certificates, and also installing the certificates on the clients.
>     
>       Alan DeKok.
>     
>     
>     -
>     List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170615/af150754/attachment-0001.sig>


More information about the Freeradius-Users mailing list