EAP SSL Cert "Not Trusted"

Trevor Jennings Trevor at simple101.com
Thu Jun 15 19:42:27 CEST 2017

Thanks for the replies!

We've had EAP functioning well for the past 7-8 years and when the cert
comes up to renew, I've been asked why do we need to keep trusting the
certificate, so I am trying to find answers.

>   Do not use public CA certs for WiFi authentication.  It's insecure.
So you are suggesting we should be using self signed certs instead of a
public CA?

>   And no, the Apple devices do NOT already trust the Thawte cert for WiFi
> authentication.  They trust the Thawte cert for web surfing, which is
> entirely different.

This is what I do not understand. The root certificate is the same for both
and is sent as part of the EAP process along with the server certificate. I
know this sounds like a stupid question but how are these both different?

>   You need to have a mobileconfig which tells each device what the SSID
> is, what EAP method to use, and what CA to use.
> > Are you referring to configuration profiles that are setup on the
> clients?
>   Yes.  You need to configure each device as I said above.

I understand this as when I receive the new certificate, I send it along to
service desk who setup profiles on staff/faculty machines that use WiFi. I
think they also may use MDM to send the profiles to mobiles, but only some
staff/faculty devices.

>   In order to get EAP working, follow the guide at:
> http://deployingradius.com/documents/configuration/eap.html
>   It WILL work.
>   And yes, it involves creating your own certificates, and also installing
> the certificates on the clients.
It sounds like we should provide a solution to allow clients to install the


 - Trevor

More information about the Freeradius-Users mailing list