Hi, > We are trying to setup eap for different mobile devices. We don't need > certificates for each user, we want to authorize againt the radius with > username and password only. > > With self signed certificates its working if the mobile devices installs > the root ca certifcate. > > We tried several 3rd party certificates: StartSSL, united ssl, godaddy, > test certificates from thawte. > > Apple and windows clients are claiming, that the certificate is not > trusted. > > Has anybody a working solution with 3rd party certificates and can tell > us which certifcate could be used and what needs to be configured in > eap.conf?
You should be aware that the "trusted" status of a CA is completely independent in bowsers vs. for EAP. Browsers have a (large|too large) set of CAs which they consider trusted. EAP supplicants typically trust NO CA unless explicitly configured to. In the Windows case, the supplicant will trust the 3rd party certs just fine as soon as you open the EAP properties and check the box of that CA. So, very often you will require extra manual/scripted configuration whether you use a self-signed CA or not; merely the actual import of the certificate file can be omitted if the CA is shipped. I.e. you don't gain a lot, and spend more money when using a "trusted" CA, so in the vast majority of cases, it is the wiser way to use a self-signed CA. Greetings, Stefan Winter > > Kind Regards > > Uwe > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
