Greetings,
So, using Radiator to authenticate our wifi access points, and it has been
brought to my attention that iPhones show my commercially purchased GoDaddy
certificate is "Not trusted". I think this is the relevant part of the config
file.
So, GoDaddy provides a certificate (xxxxxxx.pem) and their intermediate / root
bundle: gd_bundle-g2-g1.crt.
I originally had EAPTLS_Certificate pointing to xxxxxxx.pem from GoDaddy, and
EAPTLS_CAFile pointing to gd_bundle-g2-g1.crt.
So, since then, I've tried various permutations -- the most recent of which is
below. server.pem = xxxxxx.pem + the intermediate certificates from
gd_bundle-g2-g1.crt. And EAPTLS_CAFile is pointing to gd-class2-root.crt,
which is the root certificate portion of gd_bundle-g2-g1.crt. Still same error.
I am trying to avoid having to install the intermediate certificate on every
iPhone out there --for one thing, in this BYOD world, I don't know that I
should be installing on people's personal devices.
Suggestions or explanations of what I'm doing wrong would be appreciated. Oh,
and I think I'm running Radiator 1.143 -- it's pretty old.
Thanks!
-p
#### Wireless Clients using PEAP #####
# The most popular method, suported by default by Windows. Does not require a
client-side cert and is thus considered less secure
# than EAP-TLS
<Handler TunnelledByPEAP=1>
RejectHasReason
AuthLog wifi-authlog
<AuthBy NTLM>
EAPTLS_CertificateChainFile /etc/pki/tls/certs/server.pem
EAPTLS_PrivateKeyFile /etc/pki/tls/private/server.key
EAPTLS_CAFile /etc/pki/tls/certs/gd-class2-root.crt
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
Domain XXXXXXX
DefaultDomain XXXXXXX
EAPType MSCHAP-V2,PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1024
EAPAnonymous %0
SSLeayTrace 4
</AuthBy>
</Handler>
#### Outer Handler #####
# When clients check the 'Validate Server Certificate' (or equivalent), then
this stanza plays a key role
<Handler>
AuthByPolicy ContinueUntilAccept
AuthLog wifi-authlog
RejectHasReason
<AuthBy FILE>
Filename %D/users.anonymous
EAPType PEAP,TTLS
EAPTLS_PEAPVersion 0
EAPTLS_CertificateChainFile /etc/pki/tls/certs/server.pem
EAPTLS_PrivateKeyFile /etc/pki/tls/private/server.key
EAPTLS_CAFile /etc/pki/tls/certs/gd-class2-root.crt
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1024
EAPAnonymous %0
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
--
Pat Hirayama
Systems Engineer / 206.667.4856 / [email protected] / Fred Hutch / Cures
Start Here
CIT | Advancing IT and Data Services to Accelerate the Elimination of Disease
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
