802.1x with GoDaddy Certificates EAP-TTLS
Alan DeKok
aland at deployingradius.com
Thu Jun 29 14:41:12 UTC 2023
On Jun 29, 2023, at 10:27 AM, Torsten Wilms via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I have a little question. I am not sure but does clients need to resolve AAA Server via DNS and need to reach AAA Server if I use EAP-TTLS with GoDaddy x509 Certificates to verify the certificate on e.g. Mobile Devices or does the client need in any other case to reach some endpoint to validate the certificates common name?
No.
> I have a AAA Server in a separate Network installed which is only reachable for the authenticator (Wireless Controller). The Clients communicate with the AccessPoint. A hand full devices like Android are not able to connect the wireless because of certificate validation error. The other devices has no problems. You see the certificate of the server and after accept, the connection will be established. The AAA Server sends the full chain like RootCA, Intermediate and server certificate.
> BR. Torsten
The supplicant has not been configured with the root CA used by the server. This has to be done in order for the supplicant to trust the root CA.
The EAP-TLS connection does *not* send the root CA in the certificate chain. Even if it did, there is no reason for the supplicant to trust some random root CA it gets from a RADIUS server.
Alan DeKok.
More information about the Freeradius-Users
mailing list