802.1x with GoDaddy Certificates EAP-TTLS

Torsten Wilms T.Wilms at m3connect.de
Thu Jun 29 14:58:22 UTC 2023


The idea behind using a public certificate is that anyone can connect to the WLAN without a certificate error if the username and password are correct



Ok. But we use a GoDaddy  G2 certificate. And the supplicant must have the root CA, because if not, the device would not to be able to validate any GoDaddy certificate in the browser ssl connection. Or am I thinking wrong?
>
> I have a little question. I am not sure but does clients need to resolve AAA Server via DNS and need to reach AAA Server if I use EAP-TTLS with GoDaddy x509 Certificates to verify the certificate on e.g. Mobile Devices or does the client need in any other case to reach some endpoint to validate the certificates common name?

  No.

> I have a AAA Server in a separate Network installed which is only reachable for the authenticator (Wireless Controller). The Clients communicate with the AccessPoint. A hand full devices like Android are not able to connect the wireless because of certificate validation error. The other devices has no problems. You see the certificate of the server and after accept, the connection will be established. The AAA Server sends the full chain like RootCA, Intermediate and server certificate.
> BR. Torsten

  The supplicant has not been configured with the root CA used by the server.  This has to be done in order for the supplicant to trust the root CA.

  The EAP-TLS connection does *not* send the root CA in the certificate chain.  Even if it did, there is no reason for the supplicant to trust some random root CA it gets from a RADIUS server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list