802.1x with GoDaddy Certificates EAP-TTLS
Torsten Wilms
T.Wilms at m3connect.de
Thu Jun 29 14:53:06 UTC 2023
Ok. But we use a GoDaddy G2 certificate. And the supplicant must have the root CA, because if not, the device would not to be able to validate any GoDaddy certificate in the browser ssl connection. Or am I thinking wrong?
>
> I have a little question. I am not sure but does clients need to resolve AAA Server via DNS and need to reach AAA Server if I use EAP-TTLS with GoDaddy x509 Certificates to verify the certificate on e.g. Mobile Devices or does the client need in any other case to reach some endpoint to validate the certificates common name?
No.
> I have a AAA Server in a separate Network installed which is only reachable for the authenticator (Wireless Controller). The Clients communicate with the AccessPoint. A hand full devices like Android are not able to connect the wireless because of certificate validation error. The other devices has no problems. You see the certificate of the server and after accept, the connection will be established. The AAA Server sends the full chain like RootCA, Intermediate and server certificate.
> BR. Torsten
The supplicant has not been configured with the root CA used by the server. This has to be done in order for the supplicant to trust the root CA.
The EAP-TLS connection does *not* send the root CA in the certificate chain. Even if it did, there is no reason for the supplicant to trust some random root CA it gets from a RADIUS server.
Alan DeKok.
More information about the Freeradius-Users
mailing list