Indeed, the same issue exists with a cert signed by a public CA
(VeriSign in our case). The way I found to fix the issue for now is to
go into the users Keychain (via the Keychain Access utility), find the
certificate being used for the network in the login keychain. Open it
up and scroll to the bottom. Under the Trust Settings area, you can
change the EAP trust setting to "Always Trust". Once I did that, it
stopped asking me to keep trusting the cert every time I connected.
It seems they've made the default policy on certs to be "ask on every
use" unless it matches some magic criteria. The Help file for the
Keychain Access utility notes that this magic criteria is that EAP certs
have to match the DNS hostname of the server. I'd sure like to know how
they expect to verify that the DNS hostname of the server matches the
certificate when they don't have any network connectivity to do DNS lookups!
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Michael Griego wrote:
I'll test it later today and report back. We're using a VeriSign-signed
cert.
--Mike
King, Michael wrote:
Hmm..
Any have a Verisign/Thawte/Somebody Top level CA and a Mac to test this
on?
We're self generated CA's here as well, so this will be a problem for us
as well.
-----Original Message-----
From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Thursday,
July 14, 2005 5:48 PM
To: [email protected]
Subject: [WIRELESS-LAN] Apple Airport 4.2 software
-----BEGIN PGP SIGNED MESSAGE-----
Apple released version 4.2 of their Airport software today. Most
notably, it adds WPA2 support.
However, after applying the update to my Mac OS X 10.3.9 laptop, I
can no longer get it to trust the test certificates that we generated
for testing out 802.1X and EAP-PEAP. Earlier today with the Airport
4.1.1 software, everything was fine after I imported the test root
certificate and accepted the server cert. I can get connected now
with the 4.2 software, but the computer asks me every time to verify
the server certificate, claiming that the root certificate is
untrusted....
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
iQEVAwUBQtbPky5elU+tqml1AQGTGQgAp1xRhzTt+pYvZkzCnVSGruZ0yCXFZntp
C3zSSKl1wm/WTYLFFZua8fEthk4D8xxznC0ju6qIvfVx0JOKCOdWMikPDNa3UJQA
F6uI3pColUol+zIbXQpbpGu3pwG1CNm/QE2ZhaJIMnF5yekWhUN2i0zptoGTZYPx
svFB0163FTAIlJ6lSbP3vRidrPQE8hkoXC5dfdF/6Dior+GJQh97P92Hi+D3UVub
9dqR0qXTw0gcGFbB05dYZnHy1qQbIQxRdK5aqyRvnC7LfP2D68Km01ER5URuOErR
3OOfHuP1bQPSqod14mgbWsiSk17Aisti0kBTSsn3vcs9lJXsQlY0aw==
=hf7O
-----END PGP SIGNATURE-----
--
Julian Y. Koh <mailto:[EMAIL PROTECTED]>
Network Engineer <phone:847-467-5780>
Telecommunications and Network Services Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
