(RADIATOR) Radiator + Verisign Certificates + Client Behaviour

Hugh Irvine hugh at open.com.au
Fri Apr 25 03:09:41 CDT 2008 

Hello Charles -

Yes you will need to install the certificates on the clients with PEAP.

regards

Hugh


On 25 Apr 2008, at 01:41, Cottrell, Charles P. wrote:

> Greetings list moderators and subscribers!  I am having (perceived)  
> issues with a Verisign certificate and wireless clients, and  am  
> hoping someone can help steer me in the right direction, or affirm  
> that I am on the path.
>
> Currently we are bringing up a WPA/WPA2 network using PEAP  and  
> MSChap-V2.  We have purchased a Verisign certificate.  So far we’ve  
> been successful at connecting (with native clients) on XP, Vista,  
> and OSX, and using Juniper’s Odyssey client on XP.  The perceived  
> ‘catch’, in my opinion, is that on all of these platforms the root  
> cert must be specifically selected before connecting (in the XP and  
> Vista native clients) or accepted when prompted (OSX native and  
> Odyssey on XP).  I thought that by using a Verisign cert that the  
> cert portion of the connection would be seemless, like connecting  
> to a website that uses a Verisign cert as opposed to self-signed or  
> some other relatively unknown cert vendor.  However, this does not  
> appear to be the case.  And when specifying which root cert to use,  
> I do not have to install the root cert, only select it from a list  
> of already installed root certs.
>
> So, my question is this:  what is the proper behavior of the  
> client?  Will it always be necessary to define or accept the cert  
> from the client side (even if I have a well known cert), or have I  
> improperly configured Radiator (or maybe incorrectly created the  
> PEM files)?  If it is an improper configuration or creation of the  
> PEM files, what can I do?
>
> The final goal is this:  to have a WPA/WPA2 network that is  
> broadcast and secured with the Verisign Cert.  A client can see  
> this network in the list of available wireless networks, connect to  
> it, and only be prompted for login credentials.  I would prefer  
> that users not have to setup the network and define all the settings.
>
> Thanks for any help!
>
> Charles P. Cottrell
> Network Administrator
> Medical University of South Carolina
> 843.792.9938
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list