EAP SSL Cert "Not Trusted"

Trevor Jennings Trevor at simple101.com
Thu Jun 15 19:43:49 CEST 2017


Thanks for those links Stefan.

We do have both eduroam and our own internal auth.

Cheers,

 - Trevor


On Thu, Jun 15, 2017 at 1:52 AM, Stefan Winter <stefan.winter at restena.lu>
wrote:

> Hi,
>
> > You will receive the prompt the first time a new device connects to that
> SSID. You should really pre-configure the clients or you’re putting the
> user’s credentials at risk.
>
> Exactly. For a longer treatise on the subject:
>
> https://wiki.geant.org/display/H2eduroam/EAP+Server+
> Certificate+considerations
>
> (applicability not limited to eduroam)
>
> If the OP is doing this for an eduroam installation, said
> pre-configuration profiles can be built at
>
> https://cat.eduroam.org
>
> If this is not about eduroam, there are plenty of commercial solutions.
> A freemium one is
>
> https://802.1x-config.org
>
> Greetings,
>
> Stefan Winter
> >
> >
> >
> > On 6/14/17, 11:39 AM, "Freeradius-Users on behalf of Alan DeKok"
> <freeradius-users-bounces+timc=hpe.com at lists.freeradius.org on behalf of
> aland at deployingradius.com> wrote:
> >
> >     On Jun 14, 2017, at 11:19 AM, Trevor Jennings <Trevor at simple101.com>
> wrote:
> >     >
> >     > We are using Thawte which Apple devices already trust (These are
> more
> >     > common devices on our network).
> >
> >       Do not use public CA certs for WiFi authentication.  It's insecure.
> >
> >       And no, the Apple devices do NOT already trust the Thawte cert for
> WiFi authentication.  They trust the Thawte cert for web surfing, which is
> entirely different.
> >
> >       You need to have a mobileconfig which tells each device what the
> SSID is, what EAP method to use, and what CA to use.
> >
> >     > Are you referring to configuration profiles that are setup on the
> clients?
> >
> >       Yes.  You need to configure each device as I said above.
> >
> >       In order to get EAP working, follow the guide at:
> >
> >     http://deployingradius.com/documents/configuration/eap.html
> >
> >       It WILL work.
> >
> >       And yes, it involves creating your own certificates, and also
> installing the certificates on the clients.
> >
> >       Alan DeKok.
> >
> >
> >     -
> >     List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> >
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
> de la Recherche
> 2, avenue de l'Université
> L-4365 Esch-sur-Alzette
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
> recipient's key is known to me
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list