Aaron Mahler wrote: > It is issued by GoDaddy and does trace back to a valid root cert that > I've found exists by default on my OS X systems.
This isn't a good idea for RADIUS systems. It means that the 802.1X clients will happily hand their credentials to *anyone* who has a root signed certificate. For RADIUS and EAP, you should use self-signed certificates. > When handed to clients via Radius for 802.1x authentication, though, > it's declared as untrusted during the sign-on process. That's a Mac thing... > I did a test run on a Unbunu machine a bit ago, though, and it never > griped whatsoever. I entered login credentials and it hooked right up. That uses wpa_supplicant, which works. The Mac && Windows clients use... something else. > Am I safe in assuming that this is, in fact, a client side problem in > the realm of 802.1x implementation and there is nothing I can do on the > Freeradius side? Yes. > We'll be serving a large enough user base here that the certificate > trust warnings are going to be a HUGE support headache. I need it to be > seamless for the end user. That will be hard. The simplest way is to have a captive portal where they can download the certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
