Alan DeKok wrote: > Aaron Mahler wrote: > >> It is issued by GoDaddy and does trace back to a valid root cert that >> I've found exists by default on my OS X systems. >> > > This isn't a good idea for RADIUS systems. It means that the 802.1X > clients will happily hand their credentials to *anyone* who has a root > signed certificate. > > For RADIUS and EAP, you should use self-signed certificates. > > >> When handed to clients via Radius for 802.1x authentication, though, >> it's declared as untrusted during the sign-on process. >> > > That's a Mac thing... > Mac OSX doesn't trust any Root CAs by default, even if they're preinstalled on the machine. > [snip] >> We'll be serving a large enough user base here that the certificate >> trust warnings are going to be a HUGE support headache. I need it to be >> seamless for the end user. >> > > It's not really that hard... But if you really think you're going to have a problem, check out one of the dissolvable autoconfiguration clients like cloudpath.
Arran
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
