Hello!
After getting my EAP-PEAP <-> LDAP configuration working this evening, I turned attention to replacing the self-signed certs with our commercial wildcard SSL certificate. This is being used successfully on multiple servers on campus (web, email, etc).
It is issued by GoDaddy and does trace back to a valid root cert that I've found exists by default on my OS X systems.
The same cert used on our web servers has zero problems and refers to a GoDaddy root. http://www.sbc.edu to see it firsthand.
When handed to clients via Radius for 802.1x authentication, though, it's declared as untrusted during the sign-on process.
I've seen a few threads on here this evening exploring this very issue (most helpfully from Dan Meyers who describes virtually my same issue).
In his case, XP SP2 systems have an issue with it. I can't yet confirm that, but I'm certainly running into the issue with my OS X systems and iPhone.
I did a test run on a Unbunu machine a bit ago, though, and it never griped whatsoever. I entered login credentials and it hooked right up.
As mentioned above, the cert is a wildcard and identical to the one on our webservers. For comparison, I did a wireshark sniff against our webserver and one of the radius exchange. The cert exchange is identical right down to the byte count. I compared them side by side. In both cases, the full chain from cert through intermediates referring back to the root are being handed over to the client by both Apache and Freeradius.
Am I safe in assuming that this is, in fact, a client side problem in the realm of 802.1x implementation and there is nothing I can do on the Freeradius side?
Lastly - if there is no way I'm going to get smooth use of a cert involving an intermediate - does GeoTrust still issue root-signed certs as mentioned recently in other posts? Anyone else offer them?
Note: I tried to get a free 30-day QuickSSL cert for testing from GeoTrust tonight. Both attempts failed on their end (could not complete my order at this time - no explanation as to why).
We'll be serving a large enough user base here that the certificate trust warnings are going to be a HUGE support headache. I need it to be seamless for the end user.
Thanks! - Aaron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
