[RADIATOR] iPhones and SSL certificates

Hirayama, Pat phirayam at fredhutch.org
Sat Sep 7 00:03:57 UTC 2019 

Greetings,

So, using Radiator to authenticate our wifi access points, and it has been brought to my attention that iPhones show my commercially purchased GoDaddy certificate is "Not trusted".  I think this is the relevant part of the config file.

So, GoDaddy provides a certificate (xxxxxxx.pem) and their intermediate / root bundle:  gd_bundle-g2-g1.crt.
I originally had EAPTLS_Certificate pointing to xxxxxxx.pem from GoDaddy, and EAPTLS_CAFile pointing to gd_bundle-g2-g1.crt.

So, since then, I've tried various permutations -- the most recent of which is below.  server.pem = xxxxxx.pem + the intermediate certificates from gd_bundle-g2-g1.crt.   And EAPTLS_CAFile is pointing to gd-class2-root.crt, which is the root certificate portion of gd_bundle-g2-g1.crt.  Still same error.

I am trying to avoid having to install the intermediate certificate on every iPhone out there --for one thing, in this BYOD world, I don't know that I should be installing on people's personal devices.

Suggestions or explanations of what I'm doing wrong would be appreciated.  Oh, and I think I'm running Radiator 1.143 -- it's pretty old.

Thanks!

                                                                                                -p


#### Wireless Clients using PEAP #####
# The most popular method, suported by default by Windows.  Does not require a client-side cert and is thus considered less secure
# than EAP-TLS
<Handler TunnelledByPEAP=1>
        RejectHasReason

        AuthLog wifi-authlog

        <AuthBy NTLM>
                EAPTLS_CertificateChainFile  /etc/pki/tls/certs/server.pem
                EAPTLS_PrivateKeyFile   /etc/pki/tls/private/server.key
                EAPTLS_CAFile      /etc/pki/tls/certs/gd-class2-root.crt
                NtlmAuthProg  /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
                Domain XXXXXXX
                DefaultDomain XXXXXXX
                EAPType MSCHAP-V2,PEAP,TTLS
                EAPTLS_PEAPVersion 0
                EAPTLS_CertificateType PEM
                EAPTLS_MaxFragmentSize 1024
                EAPAnonymous %0
                SSLeayTrace 4
        </AuthBy>
</Handler>


#### Outer Handler #####
# When clients check the 'Validate Server Certificate' (or equivalent), then this stanza plays a key role
<Handler>
        AuthByPolicy    ContinueUntilAccept

        AuthLog wifi-authlog
        RejectHasReason
        <AuthBy FILE>
                Filename %D/users.anonymous
                EAPType PEAP,TTLS
                EAPTLS_PEAPVersion 0
                EAPTLS_CertificateChainFile  /etc/pki/tls/certs/server.pem
                EAPTLS_PrivateKeyFile   /etc/pki/tls/private/server.key
                EAPTLS_CAFile      /etc/pki/tls/certs/gd-class2-root.crt
                EAPTLS_CertificateType PEM
                EAPTLS_MaxFragmentSize 1024
                EAPAnonymous %0
                AutoMPPEKeys
                SSLeayTrace 4
        </AuthBy>
</Handler>

--
Pat Hirayama
Systems Engineer / 206.667.4856 / phirayam at fredhutch.org / Fred Hutch / Cures Start Here
CIT | Advancing IT and Data Services to Accelerate the Elimination of Disease

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190907/cd1e66c7/attachment.html>

More information about the radiator mailing list