You should ask to the Microsoft EAP team about this. I am sure they will be able to shed some lights, at least for the MS side.
Remember, the whole 802.1X process is usually tied to a private PKI infrastructure. Using certificates signed by a public CA is an edge case, and this practice is usually NOT recommended :) Francois On 2013-02-06 12:02 PM, Derek Wuelfrath wrote: > François! Good to hear from you ;) Was almost sure you'll be the one > answering this mail! > On another note, we try to avoid having to configure stuff on the client > computer. Since we're using a "valid SSL cert" we don't want end-user to > accept, check, add certs on their side. > > On 2013-02-06 10:13 AM, Francois Gaudreault wrote: >> Ahhh! I remember those issues :P >> >> Did you try (on windows) to add the chain into the system/computer >> keystore, not only the user keystore? >> >> Browsers are able, using OCSP, to follow the chain, and grab the certs >> on the Internet if needed. That's why the OCSP proxy config has been >> added to the httpd config in PF 3.5ish. >> >> Francois >> >> On 2013-02-05 10:14 AM, Derek Wuelfrath wrote: >>> EHLO list! >>> >>> Currently running into an "issue" and want to gather some insight to >>> understand if it is actually a real "issue" or the normal workflow. >>> Here's the situation: >>> >>> By running PacketFence/FreeRADIUS on a secure SSID using PEAP with valid >>> SSL certificate signed by RapidSSL, we encounter the strange behavior >>> that each client (Microsoft Windows, Apple OSX, Apple IOS) actually >>> prompt the end user to accept/validate the certificate stating that this >>> certificate is signed by a known authority but actually can't be >>> "verified". We tried to send the whole chain right into the certificate, >>> send the chain with the CA_file FreeRADIUS parameter, nothings actually >>> "solve the issue". >>> >>> On another hand, when reaching the captive-portal (which is using the >>> exact same certificate with chain file), the browsers are not >>> complaining and seems like a valid SSL certificate. >>> >>> I'm wondering if it is now a "normal workflow" when connecting to a PEAP >>> secured SSID to ask the end user to accept/validate the chained certificate? >>> >>> Any insight, tricks, ideas are more than welcome. >>> >>> Thanks! >>> >>> Derek >>> >> ------------------------------------------------------------------------------ >> Free Next-Gen Firewall Hardware Offer >> Buy your Sophos next-gen firewall before the end March 2013 >> and get the hardware for free! Learn more. >> http://p.sf.net/sfu/sophos-d2d-feb >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault Architecte de Solution Cloud | Cloud Solutions Architect [email protected] 514-629-6775 - - - CloudOps 420 rue Guy Montréal QC H3J 1S6 www.cloudops.com @CloudOps_ ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
