Thanks for your suggestion, Heikki. Having EAPTLS_CertificateChainFile
pointing to a file that contains first the server certificate and then the
intermediate certificates (with or without the actual root certificate) results
in the same behavior. Certificate is presented to iPhone user as "Not
trusted".
And yes, I know "Not trusted" isn't necessarily an error. On the other hand,
if I train users to just ignore this error, then, they get used to ignoring
other warning messages ....
And I don't really have a Mac MDM system to push the cert onto everyone's
iPhones -- not that I necessarily want to be touching people's devices.
Any other ideas or suggestions, or am I just going to have to accept that
iPhones will just claim "Not trusted"? I know that if they trust the
certificate ... it'll happen again the next time I renew the certificate as
well.
Thanks,
-p
--
Pat Hirayama
Systems Engineer / 206.667.4856 / [email protected] / Fred Hutch / Cures
Start Here
CIT | Advancing IT and Data Services to Accelerate the Elimination of Disease
> -----Original Message-----
> From: radiator <[email protected]> On Behalf Of Heikki
> Vatiainen
> Sent: Monday, September 9, 2019 12:28 PM
> To: [email protected]
> Subject: Re: [RADIATOR] iPhones and SSL certificates
>
> On 7.9.2019 3.03, Hirayama, Pat wrote:
>
> > So, using Radiator to authenticate our wifi access points, and it has
> > been brought to my attention that iPhones show my commercially purchased
> > GoDaddy certificate is "Not trusted". I think this is the relevant part
> > of the config file.
>
> > Suggestions or explanations of what I'm doing wrong would be
> > appreciated. Oh, and I think I'm running Radiator 1.143 -- it's pretty
> > old.
>
> I think the best you can do is to use EAPTLS_CertificateChainFile and
> point it to a file that has first the server certificate and then the
> intermediate CA certificates you want to send to the client.
>
> Note that "Not trusted" does not necessary mean it's an error. It's just
> telling that there's no profile or any other existing trust. This should
> also be a one-time dialog, once the certificate is trusted, it should
> not pop up the dialog as long as the configuration remains the same.
> These things seem to change between client software releases, but I
> think this is how it currently works.
>
> If I remember correctly, certificate chain problems trigger a different
> dialog that more clearly says that there's a problem.
>
> What you could do is to get apple configuration from Apple's app store
> and try creating a profile to see how it changes things. Distributing
> the profile is a different matter, but it might be worth seeing how
> profiles work.
>
> A quick config note: Only EAPType MSCHAP-V2 is needed in the inner
> AuthBy. The other EAPTLS parameters are not needed either in the inner
> AuthBy.
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen <[email protected]>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> _______________________________________________
> radiator mailing list
> [email protected]
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__lists.open.com.au_mailman_listinfo_radiator&d=DwIF-
> g&c=eRAMFD45gAfqt84VtBcfhQ&r=lnQBMkNb1mBsioi6aP6ts4Sw0Ua5nVh4esYOAh4qTKU&m
> =mwk172ICc5rESPXEN9u8I-N1FKIAunN9KAolYgGCg-
> U&s=CdojgEJk91SLnVE_7r0f3met34aDJ6CTYJH9IZDsDuE&e=
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
