[RADIATOR] iOS5 and untrusted/not verified EAP certificates

Mike Puchol puchol at me.com
Fri Feb 10 04:04:21 CST 2012


Hi Heikki, 

Thank you for your comments - indeed it appears that the only way to avoid the "Not verified" certificate message is to provision the device with a mobileconfig profile.

Best,

Mike 

On Thursday, February 9, 2012 at 3:55 PM, Heikki Vatiainen wrote:

> On 02/09/2012 03:08 PM, Mike Puchol wrote:
> 
> Hello Mike,
> 
> > I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> > using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> > being on the list of trusted CAs by iOS (I even checked the serial
> > number, which is good), I get the following on the iPad's debug console:
> > 
> 
> 
> I get the following certificate dialog when joining a WPA-Enterprise
> network for the first time:
> 
> Certificate
> *cn.from.certificate* (e.g. radius.example.com (http://radius.example.com))
> thawte Primary Root CA
> 
> *red*Not Verified*red* button:Accept
> 
> Description: Client Authentication
> Expires: 27.11.2013 1.59.59
> 
> More details >
> 
> 
> The root CA is from thawte, as seen above, and Radiator sends full
> certificate chain linking the root via the intermediary CAs to
> radius.example.com (http://radius.example.com)'s certificate.
> 
> So the root CA is known by iOS, certificate chain is complete and
> everything is good. However, it still displays the red 'Not Verified'
> and Accept button. Once Accept is chosen, the dialog does not come back
> when rejoining the network.
> 
> The only way to get rid of all dialogs has been to use the configuration
> utility and create a profile.
> 
> Note: there was no 'Add certificate', 'bad certificate' or red button.
> If you see those, maybe the certifiate chain RADIUS server sends is not
> complete. It does display 'Not verified', though, when not configured
> with external profile.
> 
> Heikki

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120210/cfea36c7/attachment.html 


More information about the radiator mailing list