EAP SSL Cert "Not Trusted"
Trevor Jennings
Trevor at simple101.com
Thu Jun 15 19:42:27 CEST 2017
Thanks for the replies!
We've had EAP functioning well for the past 7-8 years and when the cert
comes up to renew, I've been asked why do we need to keep trusting the
certificate, so I am trying to find answers.
> Do not use public CA certs for WiFi authentication. It's insecure.
>
>
So you are suggesting we should be using self signed certs instead of a
public CA?
> And no, the Apple devices do NOT already trust the Thawte cert for WiFi
> authentication. They trust the Thawte cert for web surfing, which is
> entirely different.
>
This is what I do not understand. The root certificate is the same for both
and is sent as part of the EAP process along with the server certificate. I
know this sounds like a stupid question but how are these both different?
>
> You need to have a mobileconfig which tells each device what the SSID
> is, what EAP method to use, and what CA to use.
>
> > Are you referring to configuration profiles that are setup on the
> clients?
>
> Yes. You need to configure each device as I said above.
>
I understand this as when I receive the new certificate, I send it along to
service desk who setup profiles on staff/faculty machines that use WiFi. I
think they also may use MDM to send the profiles to mobiles, but only some
staff/faculty devices.
>
> In order to get EAP working, follow the guide at:
>
> http://deployingradius.com/documents/configuration/eap.html
>
> It WILL work.
>
> And yes, it involves creating your own certificates, and also installing
> the certificates on the clients.
>
>
It sounds like we should provide a solution to allow clients to install the
certificates.
Cheers,
- Trevor
More information about the Freeradius-Users
mailing list